Private VLAN

  • Members of an isolated VLAN can only communicate with the promiscuous ports mapped
  • Members of a community VLAN can communicate with members of the same community and the promiscuous ports.

A two-way community acts like a regular community but has the additional aspect of allowing access control lists to check traffic going to and from (two ways) the VLAN and provides enhanced security within a private VLAN.

To configure PVLAN, VTP should be in transparent mode.

  1. Create primary private-vlan
  2. Create isolated/community VLAN
  3. Associating isolated/community VLANs to primary
  4. Configure spanning-tree mode and associating ports to PVLANs
  5. Mapping PVLANs under the primary VLAN interface
  6. To verify: show interface [primary PVLAN] private-vlan mapping

IPExpert, Vol.1, 2.28

You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.

Configuration

SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan primary
SWITCH(config)# vlan secondary_number
SWITCH(vlan-config)# private-vlan [isolated | community]
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan association secondary_number_list [add secondary_number_list]
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan host
SWITCH(config-if)# switchport mode private-vlan host-association primary_number secondary_number
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan promiscuous
SWITCH(config-if)# switchport mode private-vlan mapping primary_number secondary_number
SWITCH(config)# interface primary_number
SWITCH(config-if)# ip address address mask
SWITCH(config-if)# private-vlan mapping primary_number secondary_number
show vlan private-vlan type
show interface private-vlan mapping
show interface type mod/port switchport
Share this!

Related posts:

  1. 802.1Q Tunneling (Q-in-Q)
  2. VTP
  3. Switching Misc. 1
  4. IPX Vol.1 Switching Notes
  5. Cisco 6500 VSS Configuration

Author: Mo Moghaddas

Building zeeg.me to give users more time back and make scheduling a pleasant experience.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.