Introduction to Private VLAN
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
- Promiscuous— A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
- Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
- Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.
Configuration Scenario
Below is a configuration scenario which will help understand the concept of Private VLAN and how to perform configuration of the same –
Router is Connected on interface Fa0/1 of catalyst Switch and we have different servers i.e. Webservers 1,2 (Fa0/2,Fa0/3) and Mail servers 1,2 (Fa0/4,Fa0/5) which have different communication requirements. From the above diagram , the Private VLAN arrangement is described as below –
- VLAN 100 is the primary VLAN. Router should be connected to port Fa0/1 in promiscuous mode.
- VLAN 101 is the community ports. Interface Fa0/2 and Fa0/3 will be for Webserver 1 and Webserver 2 respectively and part of community VLAN since they can communicate to each other in addition to Router.
- VLAN 102 is the isolated ports. Interface Fa0/4 and Fa0/5 will be for Mail server 1 and Mail server 2 respectively and part of isolated VLAN since they can only communicate to Router and can’t talk to each other.
Private VLAN Configuration
The configuration is performed as below –
Step 1
Here the private VLANs are configured under respective primary and secondary category.
private-vlan primary
!
vlan 101
private-vlan community
!
vlan 102
private-vlan isolated
!
vlan 100
private-vlan association 101,102
Step 2
In this section , the Private VLAN association is performed with respective interface.
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
interface Fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
Interface Fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 100 102
!
interface Fa0/5
switchport mode private-vlan host
switchport private-vlan host-association 100 102
!
interface Fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 add 101,102
Step 3
Once the configuration is performed, we validate the configuration with below commands –
——- ——— —————– ———————
100 101 community Fa0/1, Fa0/2, Fa0/3
100 102 isolated Fa0/1, Fa0/4, Fa0/5
SWITCH#sh vlan private-vlan typeVlan Type
—- —————–
100 primary
101 community
102 isolated
We saw that router’s port is in both the community and isolated VLANs and able to communicate to each end host.
We have full communication between the Webservers , while the two Mail servers can only communicate with the router.
Continue Reading:
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
