Private VLAN (PVLAN) on Cisco Catalyst Switch

(Rene Molenaar) #1

This topic is to discuss the following lesson:

0 Likes

(Edwin P) #2

Hi Rene,
I trying to lab this up but how exactly to did you configure the trunk port between the 2 switches as a promiscuous port?
switchport mode is then promiscuous…not trunk…or am i missing something?
I am talking about the private-vlans across 2 switches (the last diagram here)

Thanks

Edwin

0 Likes

(Rene Molenaar) #3

Hi Edwin,

I think I left the “prom” icon on SwitchB there by accident, you don’t have to do anything special with the trunk. Just a regular 802.1q trunk between SwitchA + SwitchB is what you need to get this working.

Let me know if that works ok? I’ll fix the picture and if required I can create a configuration example for this.

Rene

0 Likes

(Rene Molenaar) #4

Just updated the picture.

0 Likes

(Edwin P) #5

Hi Rene,

It worksyes , i have found out that a switch that does not support private vlans natively (like the 3550) can actually also serve as “passthrough” as long as the community,isolated and primary vlan are created on it, the passthrough switch is then off course not intended to have any workstations configured in those vlans as they would not be able to communicate with the promisscuous port anyhow…interresting.

thanks for your great article!

0 Likes

(Edwin P) #6

PS: What program do you use to draw these layouts?

0 Likes

(Rene Molenaar) #7

It’s all done in Visio and the VisioCafe stencils:

http://www.visiocafe.com/vsdfx.htm

0 Likes

(Srinivasan C) #8

Hi Rene,
I doest not want to give access to some of my servers for some hosts in isolated community.
Can I configure some servers and some hosts in isolated community as protected ports
while allowing other hosts in isolated community to access servers ?
Does it work with private-vlan?

Thanks ,
Srini

0 Likes

(Rene Molenaar) #9

Hi Srini,

I think you are better off with creating some access-lists for this. If you use an isolated VLAN then all devices within the isolated VLAN will be unable to talk with each other. It’s used for separation within the VLAN.

For your hosts, it’s probably easier to create two regular VLANs for your hosts and one (or more) VLAN(s) for your servers. Use access-lists to permit/deny traffic between these different VLANs.

Rene

0 Likes

(Siva S) #10

Hi Rene,

Regarding this statement : “Secondary VLANs are unable to communicate with other secondary VLANs.”

Based on your first example on top, let’s say if :

Computer A and B are inside Secondary Community Vlan 501

And Computer C and D are inside Secondary Community Van 502.

Am i right to say, Computer A and B won’t be able to ping C and D?

 

Had to confirm this as I’m unable to test this on my emulator.

Thanks & Regards,

Siva

 

0 Likes

(Rene Molenaar) #11

Hi Siva,

That’s right, there is no communication between these two secondary VLANs.

Rene

0 Likes

(Frades) #12

Great lessons rene! easy to understand!

my question is, how can i simulate this one? especially the computers and servers?

my plan is to purchase the normal lab which are:

2 x 2950

1 x 3560

i only have a laptop. no other computers around. is there any other way i can simulate the computers? thanks!

0 Likes

(Frades) #13

Followup question on Siva.

So secondary vlans cant talk with other secondary vlans. in short, community vlans cant talk with other community vlans that have a different VLAN? right?

Community 501 and Community 502 = users on 501 cant talk with 502 and vice versa right?

but what if you spanned the private vlans on trunk

 

Community 501 – Switch -(TRUNK)- Switch – Community 501

can the left side community 501 users can talk with the right side community 501 users?

 

0 Likes

(Rene Molenaar) #14

Hi John,

If you have no computers then you can also use switches, routers or USB NICs.

For example you could use the VLAN 1 interface on your 2950 switches to have something to ping with. Connect them to your 3560 with an interface in access mode VLAN 1 on the 2950 side.

Multiple cheap USB nics is also an option, you can use these to connect them to virtual machines on your computer.

You are correct about the secondary VLANs. One secondary VLAN can’t talk with another secondary VLAN. Users in community VLAN 501 can only communicate with 501, not with 502.

Spanning a community VLAN over a trunk is no problem.

Rene

0 Likes

(Jeppe A) #15

If I understand this correct, then the hosts on Switch A VLAN 501 are able to communicate with the hosts on Switch B VLAN 501?

0 Likes

(Rene Molenaar) #16

That’s right, as long as VLAN 501 is a community VLAN.

0 Likes

(Ali K) #17

Hi Rene,

Interesting article.

I have a question about switchB in the 2nd diagram, The trunk Port on the switchB should be configured as promiscuous port as well to map Secondary vlans with primary ?

0 Likes

(Rene Molenaar) #18

Hi Ali,

You will have to configure the same mapping on the second switch yes. If both switches understand Private VLANs then you only need a “regular” trunk.

If one side doesn’t understand private VLANs (maybe a router) then you could configure a “promiscuous PVLAN” trunk.

The promiscuous PVLAN trunk rewrites the 802.1q tag from the secondary VLAN to use the primary VLAN tag before it forwards it out of the trunk. You could use this for a router-on-a-stick scenario, it’s only supported on the 4500 switches or higher though.

Rene

0 Likes

(Mario C) #19

Hello Rene,

This is my first time on this site and I am enjoying it. For the CCIE exam, do you recommend memorizing how to configure Private Vlans as an example? Or what about learning the concept and using the DOC CD for the configurations?

Mario

0 Likes

(Rene Molenaar) #20

Hi Mario,

Glad to hear you like it!

When I was studying for the lab I would always forget some of the syntax for private VLANs. If you encounter this, I would use the docCD to find the configs, copy/paste them to notepad, edit them and paste in on your switches :slight_smile:

Rene

0 Likes