Private VLAN

Private VLAN in Cisco

Reducing broadcast in Layer 2 environment is the one thing most network administrators worry about. Even in Service Provider environment if they are connecting multiple clients in different locations to their switch; they will, by default, be in same broadcast domain. To divide broadcast domain we know there is a concept called VLAN.  But if we are using Private VLAN we can isolate each ports connected to users in the same VLAN and still they can communicate to there up-link.

Ports in Private VLAN enabled switch can be defined either as Host or Promiscuous ports.

Host Port – link connected to End Device

Promiscuous Port – link  connected to router, server or firewall

Private VLAN contains two types of VLAN:

  1. Primary VLAN –> The regular VLAN that we usually configure.
  2. Secondary VLAN  –> The VLANs which is created inside every Primary VLAN. They are of two types:
    1. Isolated  – ports in isolated will not communicate to other isolated or community ports.
    2. Community – ports in community will communicate within same community ports but not to other community or isolated ports.
Private VLAN

Private VLAN scenario

Topology for our configuration :

Topology

Topology

Configuration

To create primary VLAN

Switch(config)#vlan 500
Switch(config-vlan)#private vlan primary

To create Secondary VLAN’s (Isolated and Commnunity)

Switch(config)#vlan 300
Switch(config-vlan)#private vlan community

Switch(config)#vlan 301
Switch(config-vlan)private vlan isolated

Switch(config)#vlan 302
Switch(config-vlan)#private vlan isolated

To associate Secondary VLAN in primary VLAN

Switch(config)#vlan 500
Switch(config-vlan)#private-vlan association 300-302

We have created primary VLAN and associated secondary VLAN’s in it. We can verify with

Switch#show vlan private-vlan

Now we will configure ports, all community and isolated ports are defined as host port. In our case fa 0/1 – fa 0/4 are host ports

Switch(config)#interface range fa 0/1 - 4
Switch(config-if-range)#switchport mode private-vlan host

We will define the ports, in which primary and secondary VLAN they belongs to,

Switch(config)#interface range fa 0/1 - 2
Switch(config-if-range)#switchport private-vlan host association 500 300
Switch(config)#interface fa 0/3
Switch(config-if)#switchport private-vlan host association 500 301
Switch(config)#interface fa 0/4
Switch(config-if)#switchport private-vlan host association 500 302

Now we will configure the uplink(Promiscuous port ) which all Secondary or Primary VLAN can communicate

First we will define the promiscuous port by

Switch(config)#interface Gi 1/0/1
Switch(config-if)#switchport mode private-vlan promiscuous

Now Map all secondary and primary to the promiscuous port

Switch(config-if)#switchport private-vlan mapping 500 300-302

1 comment

  • Prasanth D

    Dear sir,
    We dont have knowledge on VPN and PROXY servers. Pls conduct a workshop on these topics and if possible post some notes regarding these topics over here.

Leave a Reply