private vlan
DESCRIPTION
private vlanTRANSCRIPT
-
PRIVATE VLAN
THANANCHAI CHUNBOK CO,. LTD,
8 Huamark 7, Huamark, Bangkapi, Bangkok, Thailand 10240
JULY 8, 2014
-
running-config.blogspot.com
TABLE OF CONTENTS
1 private vlan ...................................................................................................... 1
1.1 private vlan ............................................................................................. 2
1.1.1 private VLAN .......................................................................... 3
1.1.2 VLAN private VLAN ................................................................................. 4
1.1.3 Trunk port private VLAN ..................................................................................... 5
2 private vlan ................................................................................................................ 9
2.1 private vlan ...................................................................... 9
2.2 private vlan ............................................................................................ 10
2.2.1 VTP mode transparent ............................................................................. 11
2.2.2 secondary VLAN .............................................................................................. 11
2.2.3 primary VLAN .................................................................................................. 11
2.2.4 secondary VLAN primary VLAN ....................................................... 12
2.2.5 promiscuous port .................................................... 12
2.2.6 isolated community host trunk port ......... 13
2.2.7 primary SVI secondary VLAN primary VLAN ............... 16
2.2.8 private VLAN ................................................................. 16
-
1 | P a g e
running-config.blogspot.com
Private VLAN
1 PRIVATE VLAN
VLAN broadcast domain
VLAN VLAN IP address
subnet VLAN VLAN
VLAN IP address subnet
VLAN Layer 3
subnet address VLAN
VLAN VLAN
VLAN IP address subnet
IP address subnet
IP address subnet
VLAN Private VLAN
VLAN
IP address subnet
private VLAN
private VLAN IP
address subnet private VLAN
IP address
subnet
-
2 | P a g e
running-config.blogspot.com
service provider
Private VLAN service provider VLAN
VLAN private VLAN VLAN
subdomain subdomain VLAN primary
VLAN secondary VLAN
IP address private VLAN
IP address VLAN
IP address
IP address
*private VLAN Cisco catalyst 2960-XR 3560
1.1 PRIVATE VLAN
Private VLAN VLAN primary VLAN
Layer 2 IP address subnet
private VLAN VLAN
Primary VLAN
Primary
VLAN
domain
Secondary
community VLAN
Secondary
isolated VLAN
SubdomainSubdomain
Promiscuous port
Host port
(community)
Host port
(isolated)
-
3 | P a g e
running-config.blogspot.com
1.1.1 private VLAN
Private VLAN Layer 2
private VLAN switchport mode access
private VLAN 2 promiscuous port
host port host port 2 isolated port community
port
Promiscuous port uplink Layer 3
gateway primary VLAN domain promiscuous port primary
VLAN community, isolated
host ports secondary VLAN private VLAN domain
promiscuous ports primary VLAN private VLAN domain
Host port secondary VLAN
2
o Isolated port isolated VLAN
Layer 2 isolated VLAN
isolated port promiscuous
port isolated port
promiscuous port isolated port
promiscuous port
o Community port community VLAN
promiscuous port community
VLAN private VLAN Layer 2
community port
community VLAN isolated port private VLAN domain
-
4 | P a g e
running-config.blogspot.com
1.1.2 VLAN private VLAN
private VLAN VLAN 2 primary VLAN secondary VLAN secondary VLAN
2 isolated VLAN community VLAN VLAN
Primary VLAN promiscuous ports host ports (isolated
community) promiscuous port private VLAN domain
primary VLAN VLAN private VLAN domain
primary VLAN
Secondary VLAN sub-VLAN primary VLAN
gateway VLAN
o Isolated VLAN private VLAN domain isolated VLAN
VLAN isolated VLAN
promiscuous port gateway
o Community VLAN private VLAN domain community
VLAN community VLAN
promiscuous port community VLAN
SWITCH
P
I C1 C1 C2 C2I
Secondary
isolated VLAN
Secondary
community VLAN 1
Secondary
community VLAN 2
-
5 | P a g e
running-config.blogspot.com
1.1.3 Trunk port private VLAN
trunk port private VLAN
standard trunk port trunk port
private VLAN , private VLAN
trunk port private VLAN trunk port 2
isolated private VLAN trunk port promiscuous private VLAN trunk port
private VLAN
* isolated private VLAN trunk port promiscuous private VLAN trunk port
Cisco catalyst 4500
Trunk port private VLAN 3 standard trunk port, isolated private VLAN
trunk port promiscuous private VLAN trunk port
Standard trunk port private VLAN
private VLAN trunk port
trunk port private VLAN trunk
port private VLAN trunk port VLAN
tag VLAN primary VLAN, isolated
VLAN community VLAN private VLAN
isolated VLAN isolated VLAN
community VLAN
community VLAN
private VLAN
private VLAN VLAN (
trunk port private VLAN)
private VLAN
private VLAN host port
-
6 | P a g e
running-config.blogspot.com
Switch A Switch B
VLAN100 VLAN100
VLAN201 VLAN202 VLAN201 VLAN202
Trunk ports
Permit VLAN 100, 201 and 202
VLAN100 = Primary VLANVLAN201 = Secondary isolated VLANVLAN202 = Secondary community VLAN
private VLAN VTP VLAN
private VLAN primary VLAN
secondary VLAN Layer 2 database
private VLAN private VLAN
VLAN
Isolated private VLAN trunk port isolated host port
isolated host port access port isolated private VLAN trunk
port trunk port -
VLAN secondary VLAN ( isolated VLAN) private
VLAN domain VLAN trunk port isolated private VLAN
trunk port private VLAN (
catalyst 2950)
-
7 | P a g e
running-config.blogspot.com
catalyst 4500 private
VLAN (catalyst 2950)
Host 1Host 2
Host 3
Non-private VLAN Switch (Catalyst 2950)
Private VLAN Switch (Catalyst 4500 switch)
Isolated portIsolated VLAN11
Isolated private VLAN trunk port
trunk port
Promiscuous portPrimary VLAN10
Access port VLAN11
Primary VLAN = VLAN 10Isolated VLAN = VLAN 11
1 catalyst 4500
primary VLAN (VLAN10) promiscuous port
catalyst 2950 isolated private VLAN trunk port
tag primary VLAN (VLAN10) catalyst 4500 tag isolated
VLAN (VLAN11) catalyst 2950 isolated private
VLAN trunk port catalyst 2950
access vlan 11
1 catalyst 2950
VLAN11 catalyst 4500 tag VLAN11
trunk port catalyst 4500 VLAN11
isolated private VLAN promiscuous port
isolated host port
isolated trunk catalyst 4500
isolated trunk port ( 1) isolated host port ( 3)
catalyst 4500
private VLAN ( 1 2)
-
8 | P a g e
running-config.blogspot.com
private VLAN
protected port
Promiscuous private VLAN trunk port private VLAN
promiscuous host port promiscuous host port access port
promiscuous private VLAN trunk port trunk port
- VLAN VLAN
private VLAN domain trunk port promiscuous private VLAN trunk
port Layer 3 gateway
private VLAN
Private VLAN Switch (Catalyst 4500 switch)
Community portVLAN12
Isolated portVLAN11
Promiscuous private VLAN trunk portPrimary VLAN10
Primary VLAN = VLAN 10Isolated VLAN = VLAN 11
Community VLAN = VLAN 12
Host1 Host2
catalyst 4500 private VLAN domain
private VLAN 1 catalyst 4500
community VLAN (VLAN12)
promiscuous port tag community VLAN (VLAN12)
catalyst 4500 tag primary VLAN (VLAN10)
VLAN subnet
private VLAN domain catalyst
4500 primary VLAN (VLAN10) promiscuous private VLAN trunk
port private VLAN host port
promiscuous host port
-
9 | P a g e
running-config.blogspot.com
private VLAN
P port I port C1 port C2 port trunk
P port I port /*
C1 port C2 port trunk /* P = Promiscuous
I = isolated
C = community
* trunk port isolated port
isolated VLAN primary VLAN
2 PRIVATE VLAN
2.1 PRIVATE VLAN
1. private VLAN VTP VTP transparent mode
2. VLAN 1 VLAN 1002 1005 private VLAN domain
3. private VLAN domain primary VLAN VLAN
4. primary VLAN community VLAN isolated VLAN VLAN
5. Isolated VLAN community VLAN primary VLAN VLAN
6. VLAN private VLAN VLAN
access port VLAN
VLAN private VLAN
7. private VLAN EtherChannel
8. VLAN private VLAN VLAN
inactive
-
10 | P a g e
running-config.blogspot.com
9. Layer 3 VLAN (SVI) primary VLAN
VLAN isolated community VLAN inactive
10. ACL private VLAN trunk port (ingress)
secondary VLAN (egress) primary VLAN
11. promiscuous port ACL primary VLAN
12. isolated promiscuous private VLAN trunk port encapsulation IEEE
802.1q
13. Community VLAN private VLAN trunk port (private VLAN
trunk port primary, isolated private VLAN VLAN )
14. ARP Layer 3 private VLAN sticky
MAC address IP address
error message ARP
ARP no arp
* private VLAN configuration guide
2.2 PRIVATE VLAN
1. VTP mode transparent
2. secondary VLAN
3. primary VLAN
4. secondary VLAN primary VLAN
5. promiscuous port
6. promiscuous port private VLAN
7. isolated community host trunk port
8. isolated community host port trunk port private VLAN
9. () inter-VLAN routing primary SVI
secondary VLAN primary VLAN
10. private VLAN
-
11 | P a g e
running-config.blogspot.com
2.2.1 VTP mode transparent
VTP private VLAN VLAN database
VTP transparent mode
private VLAN
Switch(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
2.2.2 secondary VLAN
secondary VLAN private-vlan VLAN configuration mode
Switch# configure terminal
Switch(config)# vlan 303
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
Switch(config)# vlan 440
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# end
Switch# show vlan private-vlan
Primary Secondary Type Interfaces ------- --------- ----------------- ----------------------------------
303 community 440 isolated
2.2.3 primary VLAN
primary VLAN private-vlan primary VLAN configuration mode
Switch# configure terminal
Switch(config)# vlan 202
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# end
Switch# show vlan private-vlan
Primary Secondary Type Interfaces
------- --------- ----------------- ----------------------------------
202 primary 303 community 440 isolated
-
12 | P a g e
running-config.blogspot.com
2.2.4 secondary VLAN primary VLAN
secondary VLAN primary VLAN private-vlan
association < secondary_vlan_list> VLAN configuration mode primary VLAN
secondary VLAN private-
vlan association add secondary VLAN
private-vlan association remove secondary
VLAN
Switch# configure terminal
Switch(config)# vlan 202 //VLAN 202 primary VLAN Switch(config-vlan)# private-vlan association 303-307,309,440
Switch(config-vlan)# end
Switch# show vlan private-vlan
Primary Secondary Type Interfaces ------- --------- ----------------- ----------------------------------
202 303 community 202 304 community 202 305 community 202 306 community 202 307 community 202 309 community 202 440 isolated 308 community
2.2.5 promiscuous port
Promiscuous port Layer 3 gateway ( )
private VLAN domain switchport mode private-vlan
promiscuous private VLAN switchport private-vlan
mapping primary_vlan_id secondary_vlan_list interface configuration mode
Switch# configure terminal
Switch(config)# interface fastethernet 5/2
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 202 303 440
Switch(config-if)# end
Switch# show interfaces fastethernet 5/2 switchport
Name:Fa5/2
Switchport:Enabled
Administrative Mode:private-vlan promiscuous
-
13 | P a g e
running-config.blogspot.com
Operational Mode:private-vlan promiscuous
Administrative Trunking Encapsulation:negotiate
Operational Trunking Encapsulation:native
Negotiation of Trunking:Off
Access Mode VLAN:1 (default)
Trunking Native Mode VLAN:1 (default)
Voice VLAN:none
Administrative Private VLAN Host Association:none
Administrative Private VLAN Promiscuous Mapping: 202 (VLAN0202) 303 (VLAN0303)
440 (VLAN0440)
Private VLAN Trunk Native VLAN:none
Administrative Private VLAN Trunk Encapsulation:dot1q
Administrative Private VLAN Trunk Normal VLANs:none
Administrative Private VLAN Trunk Private VLANs:none
Operational Private VLANs:
202 (VLAN0202) 303 (VLAN0303) 440 (VLAN0440)
Trunking VLANs Enabled:ALL
Pruning VLANs Enabled:2-1001
Capture Mode Disabled
Capture VLANs Allowed:ALL
2.2.6 isolated community host trunk port
3
1. private VLAN host port
isolated community port
2. trunk port
isolated private VLAN trunk port
3. Layer 3 gateway trunk port promiscuous private VLAN trunk port
private VLAN host port
switchport mode private-vlan host VLAN switchport private-vlan host-association primary_vlan_id secondary_vlan_id
Switch# configure terminal
Switch(config)# interface fastethernet 5/1
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 202 440
Switch(config-if)# end
Switch# show interfaces fastethernet 5/1 switchport
Name: Fa5/1
Switchport: Enabled
-
14 | P a g e
running-config.blogspot.com
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Appliance trust: none
Administrative Private Vlan
Host Association: 202 (VLAN0202) 440 (VLAN0440)
Promiscuous Mapping: none
Trunk encapsulation : dot1q
Trunk vlans:
Operational private-vlan(s):
202 (VLAN0202) 440 (VLAN0440)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
trunk port isolated private
VLAN trunk port switchport mode private-vlan trunk secondary
VLAN private VLAN domain
switchport private-vlan association trunk primary_vlan_id secondary_vlan_id
VLAN trunk port native vlan trunk
port VLAN
Switch# configure terminal
Switch(config)# interface fastethernet 5/2
Switch(config-if)# switchport mode private-vlan trunk secondary
Switch(config-if)# switchport private-vlan trunk native vlan 10
Switch(config-if)# switchport private-vlan trunk allowed vlan 10, 202, 4
Switch(config-if)# switchport private-vlan association trunk 202 440
Switch(config-if)# end
Switch# show interfaces fastethernet 5/2 switchport
Name: Fa5/2
Switchport: Enabled
Administrative Mode: private-vlan trunk secondary
Operational Mode: private-vlan trunk secondary
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
-
15 | P a g e
running-config.blogspot.com
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: 10
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: 4, 10, 202
Administrative private-vlan trunk associations:
202 (VLAN0202) 440 (VLAN0440)
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Operational Normal VLANs: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled Capture VLANs Allowed: ALL
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Layer 3 gateway trunk port
promiscuous private VLAN trunk port
switchport mode private-vlan trunk promiscuous VLAN
private VLAN domain switchport private-vlan mapping trunk
primary_vlan_id secondary_vlan_id VLAN trunk
port native vlan trunk port VLAN
Switch# configure terminal
Switch(config)# interface fastethernet 5/2
Switch(config-if)# switchport mode private-vlan trunk promiscuous
Switch(config-if)# switchport private-vlan trunk native vlan 10
Switch(config-if)# switchport private-vlan trunk allowed vlan 4, 10, 202
Switch(config-if)# switchport private-vlan mapping trunk 202, 303, 440
Switch(config-if)# end
Switch# show interfaces fastethernet 5/2 switchport
Name: Fa5/2
Switchport: Enabled
Administrative Mode: private-vlan trunk promiscuous
Operational Mode: private-vlan trunk promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: 10
-
16 | P a g e
running-config.blogspot.com
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: 4,10, 202
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings:
202 (VLAN0202) 303 (VLAN0303) 440 (VLAN0440)
Operational private-vlan:
202 (VLAN0202) 303 (VLAN0303) 440 (VLAN0440)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
2.2.7 primary SVI secondary VLAN primary VLAN
inter-vlan routing Layer 3
(SVI) primary VLAN secondary VLAN private VLAN
domain private-vlan mapping primary_vlan_id
secondary_vlan_list interface configuration mode primary VLAN
Switch# configure terminal
Switch(config)# interface vlan 202
Switch(config-if)# ip address 10.0.202.254 255.255.255.0
Switch(config-if)# private-vlan mapping add 303-307,309,440
Switch(config-if)# end
Switch# show interfaces private-vlan mapping
Interface Secondary VLAN Type
--------- -------------- -----------------
vlan202 303 community
vlan202 304 community
vlan202 305 community
vlan202 306 community
vlan202 307 community
vlan202 309 community
vlan202 440 isolated
2.2.8 private VLAN
show interface status
show vlan private-vlan
show interface switchport
show interface private-vlan mapping
debug pm pvlan