S4810P FTOS 9.14 - PVLAN not routing to internet

Mrycp,

Based on your configuration and the behavior you're observing, the issue lies in how Private VLANs (PVLANs) function and how routing is handled between isolated and primary VLANs. 

Where the part you are having issues with is that your server is in an isolated VLAN (498). Also, the gateway (192.168.15.1) is on the MAIN SW, but the BUILDING 2 SW does not have a promiscuous port configured to forward traffic from VLAN 498 to VLAN 304. You can read about this on page 721 here. 

So what I recommend is that you configure a promiscuous port on the BUILDING 2 SW that maps VLAN 498 (isolated) to VLAN 304 (primary), allowing the server to reach the gateway. You should be able to do so with the following commands

interface TenGigabitEthernet 0/1
 description "Promiscuous uplink to MAIN SW"
 switchport
 switchport mode private-vlan promiscuous
 private-vlan mapping 304 add 498
 no shutdown

Let me know if this helps.

Hello,

I was able to get it to work by just adding the private vlan 498 also to the MAIN SW:

MAIN SW:

interface Vlan 498
 description "SERVER 1 PVLAN"
 private-vlan mode isolated
 no ip address
 no shutdown

At this point all IPv4 traffic started routing properly and I was able to access the internet.

One issue that now happens is all IPv6 to the Server 1 stops working. IPv4 continues to work.

Any idea why segmenting into a private VAN would break IPv6 but not IPv4?

As for your mentioning of the promiscuous port, the trunk port appears to be working:

interface fortyGigE 0/60
 description "TO BUILDING 2 SW"
 no ip address
 switchport
 switchport mode private-vlan trunk
 no shutdown

Do we also need a second link to the main switch which is also promiscuous? Wouldn't this create a loop or break the normal vlans?

Thanks

Mvipe,

IPv6 behaves differently from IPv4 in PVLAN environments due to its reliance on multicast and neighbor discovery protocols, as seen below.

So the isolated PVLANs block Layer 2 multicast between hosts and the gateway unless explicitly allowed, and the  IPv6 Neighbor Discovery Protocol (NDP) and Router Advertisements (RA) rely on multicast. So in your current setup, RA/NDP packets from the MAIN SW gateway are likely not reaching the server in VLAN 498.

What I recommend you try is to either enable IPv6 proxy ND on the BUILDING 2 SW interface for VLAN 304m which would be 

interface vlan 304
 ipv6 nd proxy

or

Manually configure the IPv6 address and default gateway on the server, such as 

IPv6 Address: 2001:db8::100/64
Gateway: 2001:db8::1

This bypasses the need for RA but is less flexible and not scalable.

or

As we previously discussed, a promiscuous port on the BUILDING 2 SW that maps VLAN 498 to VLAN 304 would allow both IPv4 and IPv6 to function correctly, including multicast-based discovery. This does not require a second physical link. You can configure the existing trunk port or another logical interface (e.g., a subinterface or LAG) as promiscuous without creating a loop, as long as STP and PVLAN rules are respected.

On Dell S4810P with FTOS 9.14, if your Private VLAN (PVLAN) isn't routing to the internet, ensure the primary VLAN has a Layer 3 interface with proper gateway and NAT configured. PVLANs don't route by default—use ACLs or route-maps to allow upstream traffic from isolated ports to the internet.