Private VLANs

Private VLANs

  • When you configure private VLANS, the switch must be in VTP transparent mode.

You Need a Primary VLAN and a Secondary VLAN

There are two types of secondary VLANs:

  • Isolated VLANs - Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
  • Community VLANs - Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
  • Promiscuous - A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
  • Isolated - An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  • Community - A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

Configure VLANs

  • We will create Primary vlan 100 and isolated vlan 101 and community vlan 102
  • First set vtp mode to transparent
  • Create vlan 100
  • Create vlan 101
  • Create vlan 102
  • Go under vlan 101 and set it to private-vlan isolated
  • Go under vlan 102 and set it to private-vlan community
  • Go under vlan 100 and set it to private-vlan primary and private-vlan association 101-102

Configure Ports

  • For host ports set to Isolated:
  • Switchport mode private-vlan host
  • Switchport private-vlan host-association 100 101
  • For host ports set to Community:
  • Switchport mode private-vlan host
  • Switchport private-vlan host-association 100 102
  • For host ports set to Promiscuous:
  • Swithport mode private-vlan promiscuous
  • **Switchport private-vlan mapping 100 101-102
  • ***To add another community you must create another VLAN for each community

Comments

Post a Comment

Popular posts from this blog

BGP Communities

Community Attribute The community attribute provides a way of grouping destinations, called communities, to which routing decisions (such as acceptance, preference, and redistribution) can be applied. Use route-maps to set them. no-export - Do not advertise this route to EBGP peers. no-advertise - Do not advertise this route to any peer. internet - Advertise this route to the Internet community; all routers in the network belong to it.
Read more

Hector Runs Over a Cat

Image
Hector informed me today that he ran over a cat. I asked him if he stopped and he said "I slowed down". I asked him if he was going to bury it but he would not. I then gave him a ride home and pulled up next to the 3 day dead mangled cat and Hector wouldnt look at it. I took a picture and MMS him so he could see what he had done to this poor defenseless animal. I offered to help him bury it but he just seems so callus. I am posting this picture to try to get Hector to help me bury this cat. Please post your thoughts and suggestion for Hector. I think he just needs a hug.
Read more