May 9

Private VLANs

Posted by Marius Bunget

PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

IP Addressing
All the members of the Private VLAN can share a common IP Space where the IP space is assigned to the Primary VLAN. The hosts connected to isolated or community ports can have the addresses assigned from the address space of the Primary VLAN.

pvlan

Steps to Configure Private VLAN

1. Set VTP mode to transparent
2. Create Primary and Secondary VLANs
3. Map secondary VLANs to Primary VLANs
3. Configure ports in Secondary VLANs and assign VLAN memberships
4. Configure Promiscuous ports and map them to primary-secondary VLAN pairs

Configuration:

Switches S1 and S2  must be configured as follows:

Create vlans 101 and 102 and then associate them to the primary Vlan 100.

vlan 100
  private-vlan primary
  private-vlan association 101-102
!
vlan 101
  private-vlan community
!
vlan 102
  private-vlan community

On S1:

interface FastEthernet0/1
 switchport private-vlan mapping 100 101-102
 switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
 switchport private-vlan host-association 100 101
 switchport mode private-vlan host
!
interface FastEthernet0/5
 switchport private-vlan host-association 100 102
 switchport mode private-vlan host
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk

On S2:
interface GigabitEthernet0/4
 switchport private-vlan host-association 100 101
 switchport mode private-vlan host
!
interface GigabitEthernet0/6
 switchport private-vlan host-association 100 102
 switchport mode private-vlan host
!
interface GigabitEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk

Leave a Reply