Home / Basics / Cisco R&S / CCNA Basics-IV: Private VLANs and Configuration

CCNA Basics-IV: Private VLANs and Configuration

,
Today I am going to talk about the Private VLANs. As you know about the concept of VLANs which we discussed in our earlier articles but let me talk a little about VLAN first before we will talk about Private VLANs.

VLANs- Virtual LAN and Private VLANs
A VLAN is a logical grouping of hosts that either share a common physical location or logical function.  A private VLAN is a further logical division where specific ports or port groups can be prevented from talking to the rest of the VLAN while still being able to communicate to the gateway, basically a VLAN in a VLAN. The concept is similar to a layer 2 VRF but a bit more granular. 
Fig 1.1- Private VLANs
Primary vs Secondary
The primary VLAN is the normal VLAN that you see every day. The secondary VLAN is the subset of one or more devices on that VLAN that will have their communication on the VLAN restricted.  The type of communication that these devices are allowed to use is based off of the type of private vlan.

Types of Private VLAN: They are Isolated VLANs and Community VLANs. First, we will talk a little not on isolated VLANs followed by Community VLANs

Isolated VLANs
All members of an isolated VLAN are unable to communicate with any other member of the VLAN
There is only one isolated VLAN per primary VLAN

Community VLAN
Members of a community VLAN can communicate with any other member of their community and the gateway
There can be many secondary VLANs per primary vlan

Types of Private VLAN ports

Promiscuous
  • The promiscuous port can communicate with any other port in the private VLAN.
  • This port is used to translate primary to secondary VLAN membership
Isolated
  • Isolated ports can only communicate with the promiscuous ports and trunks
  • Isolated ports are used to prevent communication in scenarios where discovering neighbors is not desirable
Community
  • Community ports can communicate with all members in their community as well as trunk and promiscuous ports
Basic PVLAN Configuration Steps
  • Create primary VLAN and secondary VLANs
  • Assign Type for VLANs
  • Associate VLANs with Primary
  • Verify Configuration
  • Assign Switch Port mode
  • Associate Primary and Secondary VLANs
Switch 1 (Non-VTP config)
Create the vlans and configure their associations
PVLAN_RouteXP_Switch_1(config) #vlan 100
PVLAN_RouteXP_Switch_1 (config-vlan) #private-vlan primary
PVLAN_RouteXP_Switch_1 (config-vlan) #vlan 101
PVLAN_RouteXP_Switch_1 (config-vlan) #private-vlan isolated
PVLAN_RouteXP_Switch_1 (config-vlan) #vlan 102
PVLAN_RouteXP_Switch_1 (config-vlan) #private-vlan community
PVLAN_RouteXP_Switch_1 (config-vlan) #vlan 103
PVLAN_RouteXP_Switch_1 (config-vlan) #private-vlan community
PVLAN_RouteXP_Switch_1 (config-vlan) #vlan 100
PVLAN_RouteXP_Switch_1 (config-vlan) #private-vlan association 101-103

Configure the host interfaces with the PVLANs
PVLAN_RouteXP_Switch_1 (config) #interface fa0/1
PVLAN_RouteXP_Switch_1 (config-if) #switchport
PVLAN_RouteXP_Switch_1 (config-if) #switchport mode private-vlan host
PVLAN_RouteXP_Switch_1 (config-if) #switchport private-vlan host-association 100 101
PVLAN_RouteXP_Switch_1 (config-if) #interface fa0/2
PVLAN_RouteXP_Switch_1 (config-if) #switchport
PVLAN_RouteXP_Switch_1 (config-if) #switchport mode private-vlan host
PVLAN_RouteXP_Switch_1 (config-if) #switchport private-vlan host-association 100 102
PVLAN_RouteXP_Switch_1 (config-if) #exit
PVLAN_RouteXP_Switch_1 (config) #interface range fa0/3-4
PVLAN_RouteXP_Switch_1 (config-if-range) #switchport
PVLAN_RouteXP_Switch_1 (config-if-range) #switchport mode private-vlan host
PVLAN_RouteXP_Switch_1 (config-if-range) #$private-vlan host-association 100 103
PVLAN_RouteXP_Switch_1 (config)#interface fa0/13
PVLAN_RouteXP_Switch_1 (config-if) #switchport
PVLAN_RouteXP_Switch_1 (config-if) #switchport mode private-vlan host
PVLAN_RouteXP_Switch_1 (config-if) #switchport private-vlan host-association 100 101

Configure the Trunk
PVLAN_RouteXP_Switch_1 (config) #interface fa0/24
PVLAN_RouteXP_Switch_1 (config-if) #switchport
PVLAN_RouteXP_Switch_1 (config-if) #switchport trunk encapsulation dot1q
PVLAN_RouteXP_Switch_1 (config-if) #switchport mode trunk

Switch 2 (PVLAN with VTP)
Configure VTP
This still requires that VTP is setup on switch 1, we will use switch 1 as the primary.  Because we are using VTP on switch 2 we can skip the step of configuring the VLANs on switch 2.

Set switch 1 as the server
PVLAN_RouteXP_Switch_1 (config) #vtp version 3 (Has to be version 3)
PVLAN_RouteXP_Switch_1 (config) #vtp mode server
PVLAN_RouteXP_Switch_1 (config) #end
PVLAN_RouteXP_Switch_1 # vtp primary

Configure VTP on switch 2
PVLAN_RouteXP_Switch_2 (config)#vtp version 3
PVLAN_RouteXP_Switch_2 (config)#vtp mode client

Configure the trunk on switch 2
PVLAN_RouteXP_Switch_2 (config) #interface fa0/24
PVLAN_RouteXP_Switch_2 (config-if) #switchport
PVLAN_RouteXP_Switch_2 (config-if) #switchport trunk encapsulation dot1q
PVLAN_RouteXP_Switch_2 (config-if) #switchport mode trunk
PVLAN_RouteXP_Switch_2 (config-if) #exit

Configure host ports on switch 2
PVLAN_RouteXP_Switch_2 (config) #interface fa0/7
PVLAN_RouteXP_Switch_2 (config-if) #switchport
PVLAN_RouteXP_Switch_2 (config-if) #switchport mode private-vlan host

PVLAN_RouteXP_Switch_2 (config-if) #switchport private-vlan host-association 100 101