CommScope RUCKUS Community Forums

ICX7150-C12 Router(config)#vlan 160 name Data by port

ICX7150-C12 Router(config-vlan-160)#router-interface ve 160

ICX7150-C12 Router(config-vlan-160)#pvlan type community
Error: Private VLANs cannot be configured on vlans with ve configured


ICX7150-C12 Router(config)#vlan 1234 name Restricted by port

ICX7150-C12 Router(config-vlan-1234)#pvlan type isolated

ICX7150-C12 Router(config-vlan-1234)#router-interface ve 1234
Error - can not configure ve on a secondary private vlan



I know what it is saying, but why won't it let me do that??


What I am trying to do is create a VLAN with no Layer-2 Bridging for PCI compliance (i.e Credit card readers... they must NOT have any connectivity to any other device on the network per the latest PCI compliance documents).

Here is what I want to do...  Trying to make a VLAN that is normal for such things as computers and printers (i.e. devices can talk to one another and the primary VLAN, which is the WAN on 1/2/1.)

Another similar VLAN for Voice the only difference will ultimately be that tagged interfaces will be assigned, there will for sure be "inline-power," lldp-med, and untagged ports for the native VLAN (dual-mode depreciated).  Voice VLAN will be configured on interfaces, etc.  This one will be community too, though I doubt it matters as the call manager is on the other side of the WAN.

Trying to then make a VLAN without layer-2 bridging, so a device can talk only to the primary VLAN, which is the WAN).

ALL VLANS mapped to the WAN port.

The WAN is the Internet connection.


Routing statements and helpers on the VEs...  

Basically, an extended ACL to stop any Layer-3 communication to any of private IP ranges 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8 while still allowing communication to DHCP and ultimately Internet traffic.

Here is what I have envisioned... Doesn't seem that it will work.



device(config)# vlan 160 Data by port
device(config-vlan-160)# router-interface ve 160
device(config-vlan-160)# pvlan type community

device(config)# vlan 1234 name PCI-Compliance-Data by port
device(config-vlan-1234)# pvlan type isolated
device(config-vlan-1234)# router-interface ve 1234
device(config-vlan-1234)# exit

device(config)# vlan 703 name Voice by port
device(config-vlan-703)# tagged ethernet 1/1/1 to 1/1/48
device(config-vlan-703)# router-interface ve 703
device(config-vlan-703)# pvlan type community
device(config-vlan-703)# exit



device(config)# vlan 321 name WAN by port
device(config-vlan-321)# untagged ethernet 1/2/1
device(config-vlan-321)# router-interface ve 321
device(config-vlan-321)# pvlan type primary

device(config-vlan-321)# pvlan mapping 160 ethernet 1/2/1
device(config-vlan-321)# pvlan mapping 1234 ethernet 1/2/1
device(config-vlan-321)# pvlan mapping 703 ethernet 1/2/1


interface ve 160
 port-name Default Gateway
 ip address 10.1.8.1 255.255.248.0
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
!
interface ve 321
 port-name Metro-E Circuit
 ip address 10.250.205.46 255.255.255.252
!
interface ve 703
 port-name VoIP Gateway
 ip address 10.240.13.1 255.255.255.0
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
!

interface ve 1234
 port-name Restricted Default Gateway
 ip follow ve 160
 ip helper-address 1 10.1.50.1
 ip helper-address 2 10.1.50.2
 ip access-group NO_RFC1918 out
!

ip access-list extended NO_RFC1918
 permit ip any host 10.1.50.1
 permit ip any host 10.1.50.2
 deny ip any 10.0.0.0 0.255.255.255
 deny ip any 172.16.0.0 0.15.255.255
 deny ip any 192.168.0.0 0.255.255
 permit ip any any
!




Any ideas?




P.S. don't worry about the 48 ports above and the fact I actually tried to configure a 7150-C12-PD.  I was simply testing and happened to have one in arms reach.