A private VLAN allows conservation of IP and VLANs via L2 separation within a VLAN. It allows web hosts and ISPs to segregate or group devices whilst conserving IP addressing.  PVLANs restrict communication between ports and allow communication with promiscuous  port. Think VLAN inside a VLAN!

Primary PVLAN

  • Primary PVLAN can be composed of many secondary PVLANs. The secondary PVLANs belong to the same subnet as the Primary PVLAN. The primary VLAN has the task of also carrying data from the promiscuous port to the isolated, community, and other promiscuous ports in the same primary PVLAN.

Secondary PVLAN

  • A child PVLAN to the primary PVLAN, a secondary PVLAN is mapped to a single primary PLVAN. Secondary PVLAN are what hosts attach to.

Types of Secondary PVLANs

  • Community PVLANS
    • Ports can communicate with other community members and the promiscuous port of the primary PVLAN
  • Isolated Private VLAN
    • Ports can only communicate with the promiscuous ports only.

NOTE: Promiscuous ports only service and work with one primary PVLAN. A promiscuous port can service  one isolated PVLAN or many community PVLANs

PVLAN Port types

  • Isolated
    • Isolated ports are completely separated at L2 from any other ports except those listed as promiscuous. These ports block all traffic to other isolated ports. Traffic is forward to promiscuous ports only
      • Servers, Hosts (Think web-hosting!)
  • Promiscuous
    • These ports communicated with all ports within a PVLAN including community and isolated ports. Promiscuous ports are apart of one primary PVLAN and each promiscuous port can map themselves to multiple secondary PVLANS.
      • Routers, Shared Servers, SVIs, Routed Switch ports
  • Community
    • These ports communicate amongst themselves and their promiscuous ports. L2 communities are isolated from other communities and isolated ports within their PVLAN.
      • Servers, Server Farms

 

Configuration of Private VLANs

The objective of this exercise is meet the requirements of a webhosting company.  They have employed you to configure the following PVLAN setup for their tenants.

VLANs in your VLANs so you can isolate while you isolate

 

First of all we define the PVLAN Type. This allows us to assign which VLAN will be a primary, community or isolated PVLAN

Defining the VLAN type
vlan 50
  private-vlan primary
vlan 51
  private-vlan community
vlan 52
  private-vlan isolated
vlan 50
  private-vlan association 51,52
Now that we have assigned our PVLAN type we need to
Assigning  ports to their PVLAN and port role
int gi0/10
  switchport mode private-vlan host
  switchport private-vlan host-association 50 51
int gi0/11
  switchport mode private-vlan host
  switchport private-vlan host-association 50 51
int gi0/12
  switchport mode private-vlan host
  switchport private-vlan host-association 50 52
int gi0/13
  switchport mode private-vlan host
  switchport private-vlan host-association 50 52
int gi0/15
  switchport mode private-vlan promiscuous
  switchport private-vlan mapping 50 add 51,52
Confirmation of PVLAN settings
show vlan private-vlan type
Vlan Type
---- -----------------
50   primary
51   community
52   isolated
show vlan private-vlan
Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
50      51        community         Gi0/10, Gi0/11, Gi0/15
50      52        isolated          Gi0/12, Gi0/13, Gi0/15

 

Easy enough. I was always daunted by this topic but now after labbing it I have found it to be quite nice and easy. Also remember that this is a 3560 series and higher technology. Sorry 3550!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*