This post is part of a series of revision notes I put together and used for studying CCNP Switch concepts. I am now writing them up on this website so that they might be useful to others.
They formed a part of my notes intended to explain concepts in simple terms. I hope they come in use, but as a reminder, please do not use these notes as any indication of what is sufficient for CCNP level understanding.
Let’s get started.
Existing Problem
- By the nature of their purpose, Service Providers have many different Clients. Sometimes hundreds, sometimes thousands and quite often even more
- For Service Providers, isolating their Customers into separate VLANs each is just not feasible, nor is it scalable
- The Switch’s maximum configurable VLAN limit would be hit (4094) and would effectively limit the number of customers an ISP could have
- Each VLAN would also require a separate IP
As we can see, these are all limitations that would interfere with the functioning of networks.
Let’s take a look at the solution.
Solution: Private VLANs
- Essentially a VLAN within a VLAN
- Splits VLANs into Primary and Secondary VLANs
- We are now able to isolate ports from other ports within the same VLAN
How it Works
Primary & Secondary VLANs
We mentioned that a VLAN is split into 2, the Primary and Secondary VLAN.
There is only 1 type of Primary VLAN and it is known as the…Primary VLAN.
As for the Secondary VLAN, we have 2 types:
- Community
- Isolated
So what’s the difference?
For that we have to take a look at what kind of ports go into these secondary VLANs. Let’s do this now.
Ports within Primary VLANs
There is only one type of port inside the Primary VLAN, it is called the Promiscuous Port.
- This port can communicate will all other ports in any of the secondary VLANs
- It is essentially the main ‘way out’ for all other ports
Ports within Secondary VLANs
For Secondary VLANs, there are 2 types of ports involved.
- Community Port
- Isolated Port
Community Port
- Hosts on community VLANs can communicate among themselves
- They can also communicate with the associated promiscuous port
- They cannot communicate with other Community Ports in other Community VLANs
Isolated Port
- A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN
- It cannot even communicate with other Isolated Ports in the same Isolated VLAN
Configuration
If using VTP, make note of the following:
- VTP Version 3 supports Private VLANs
- However VTP must be turned off (in transparent mode) in order to configure Private VLANs
We can turn VTP to Transparent Mode by inputting the following command:
Switch(config)# vtp mode transparent
VLAN Configuration:
Configure the Primary VLAN:
Switch(config)# vlan [VLAN NUMBER] Switch(config-vlan)# private-vlan primary
Next, we make the Secondary VLAN(s), remember these can be either Community or Isolated VLANs:
Switch(config)# vlan [VLAN NUMBER] Switch(config-vlan)# private-vlan [COMMUNITY|ISOLATED]
Now associated our Secondary VLAN(s) to the Primary VLAN we made at the beginning:
Switch(config)# vlan [PREVIOUSLY CONFIGURED PRIMARY VLAN ID] Switch(config-vlan)# private-vlan association add [PREVIOUSLY CONFIGURED SECONDARY VLAN IDS]
Port Configuration:
To configure the port which acts as the Promiscuous Port:
Switch(config)# interface [INTERFACE YOU WISH TO BE THE PROMISCUOUS PORT] Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping [PRIMARY VLAN ID] [SECONDARY VLAN IDS]
Next we configure the ports we want as Community Hosts:
Switch(config)# interface [INTERFACE YOU WANT TO CONFIGURE AS A HOST] Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association [PRIMARY VLAN ID] [COMMUNITY VLAN ID]
Finally we configure the ports we want as Isolated Hosts:
Switch(config)# interface [INTERFACE YOU WANT TO CONFIGURE AS A HOST] Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association [PRIMARY VLAN ID] [ISOLATED VLAN ID]
Verification
To see the Private VLANs configured on a Switch, use the following show command:
Switch# show vlan private-vlan
Revision Flashcard
Last but not least, I have put together a digital flashcard based on my notes.
Please be aware that neither this post nor this flashcard is to be taken as all the information you need to know for Private VLANs, it just contains the basics and is intended to be used as a supplement to your own notes and studies.
I hope it helps.