Private VLANs

By daxm

To help myself better understand private VLANs I created the following picture:

Private VLAN Diagram

Private VLANs are in two categories: Primary and Secondary.

  • There can be only 1 primary VLAN per private VLAN.  When an interface is configured as a private VLAN promiscious port the primary VLAN is the “active” VLAN on that port.  This interface will have the ability to communicate with every secondary VLAN in this private VLAN domain.
  • Though there can be several secondary VLANs they are categorized into 2 sub-categories: Isolated and Community.
    • Isolated VLAN.  There can be only 1 isolated VLAN per private VLAN.  Interfaces configured with this VLAN can only send/receive traffic from the primary VLAN.  Other interfaces configured with the isolated VLAN will not be able to send/receive with each other.
    • Community VLANs.  There can be multiple community VLANs per private VLAN.  A community VLAN can send/receive traffic from anyone within their community VLAN and the primary VLAN.  Different community VLANs cannot directly communicate with each other.

To configure private VLANs you need to do the following:

  1. (config)#vtp mode transparent — Private VLANs can only be configured in VTP transparent mode.
  2. (config)#vlan <num> — Create/Modify a VLAN that will be the primary VLAN.
  3. (config-vlan)#private-vlan primaryDesignate the VLAN as the primary VLAN.
  4. (config-vlan)#exit — This may seem obvious but it is important to finish applying the primary VLAN configuration before continuing.  While still in the (config-vlan)# prompt the configuration commands are cached and only when the exit command is issued is the commands actually sent to the switch.
  5. (config)#vlan <num> — Create/Modify a VLAN (other than the primary VLAN just created) as a secondary VLAN.
  6. (config-vlan)#private-vlan isolated OR (config-vlan)#private-vlan community — Specify if this secondary VLAN is an isolated or community private VLAN.
  7. (config-vlan)#exit –Apply the VLAN changes.
  8. (config)#vlan <num> — Return to the VLAN that is configured as the primary VLAN.
  9. (config-vlan)#private-vlan association <num> — Link the secondary private VLANs to this primary VLAN.  Bear in mind that you can have multiple primary VLANs with secondary associations BUT the secondary private VLANs can only be associated to a single primary VLAN at a time.  Also note that you cannot associated a non-private VLAN or a primary private VLAN to a primary private VLAN.
  10. Now to associate the VLANs to interfaces.  It should be noted that the interface has to be a switchport interface and not a routed port.
    1. Secondary VLAN assignment:
      1. (config-if)#switchport private-vlan host-association <primary> <secondary> — Used to associate an isolated or community VLAN to an interface.  I find it odd that you have to re-specify the primary VLAN.  (What would happen if I moved this secondary VLAN to a different primary VLAN association?)
      2. (config-if)#switchport mode private-vlan host — Enable private VLANs on this interface.
    2. Primary VLAN assignment:
      1. (config-if)#switchport private-vlan mapping <primary> <secondary>,<secondary>,… — This links a list of secondary VLANs with a primary VLAN.
      2. (config-if)#switchport mode private-vlan promiscious — Enable private VLANs on this interface but specify this is a promiscious port.  When the promiscious option is enabled the primary VLAN is the enabled VLAN on this interface.

##########################################################

Some good commands to know for validation/verification:

show vlan private-vlan

show vlan — (One the second page for me but that depends on how many VLANs  you have configured.)

show interface status

I referenced Cisco’s chapter on private VLANs for the 3750 series switches (http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swpvlan.html) while studying.



About...

This author published 11 posts in this site.

Share

FacebookTwitterEmailWindows LiveTechnoratiDeliciousDiggStumbleponMyspaceLikedin

Comments


pepe
June 9th, 2012

This image isent yours, its an image from the ccnp oficial guide, in the power points.


daxm
June 9th, 2012

Then they took it from me. I don’t know how to prove it but the truth is I created this image while learning about Private VLANs.

Leave a comment