When using private VLANs, you have a primary VLAN, and then a secondary VLAN. The secondary VLAN can be a community VLAN or an isolated VLAN. Each secondary VLAN creates a subdomain within the primary VLAN.
Now each VLAN subdomain is identified using a combination of the primary VLAN ID and the secondary VLAN ID. For example, in the lesson, we have subdomain 501 within the primary VLAN 500. This combination identifies that particular Layer 2 subdomain. Now you can use the same secondary VLAN ID within another primary VLAN.
For example, using the lesson’s topology, you can create a new primary VLAN with an ID of 600 and create secondary VLANs with IDs of 501 and 502. These subdomains will be different than those created within VLAN 500.
Since each subdomain is identified using a pair of VLAN IDs (primary and secondary), then you can create many more subdomains within each of those. This is useful for service providers that must create Layer 2 domains for thousands of customers.
Thank you for the excellent writeup. I have already labbed it out in CML and have a few questions.
In my case i created the private vlans as follows.
Vlan600 = Primary
Vlan 601 = Community
Vlan 602 = Isolated.
I was curious if you could have normal devices in the primary vlan without any additional configuration. It seems that any device in the primary vlan neeeds to be configured as a promiscous port and mapped to the other private vlans?
Is that the case? I had the below config on the ports. I was unable to ping from host on gi0/1 to host on Gi0/2 on the pimrary vlan untill adding in the extra lines about promiscous and mapping.
Is it possible to have hosts on these vlans that just act like normal and can only talk to each other and not the secondarey vlans?
switchport access vlan 660
switchport private-vlan mapping 660 661-662
switchport mode private-vlan promiscuous
CORE01#sh run int gi0/2
Current configuration : 169 bytes
switchport access vlan 660
switchport private-vlan mapping 660 661-662
switchport mode private-vlan promiscuous
I also have another question.
The reason i am looking at private vlans is for an IOT vlan to be setup at work. These will host random IOT type devices and may use wired OR wireless connectivity.
What type of synergy do private vlans have with Cisco WLC and AP’s? if any?
I understand i can setup a wlan to block peer to peer communication. But this would only affect wifi clients on that LAN.
Is it possible to broadcast a SSID for a secondary vlan and have it able to communcaite with others if the secondary vlan is a community OR not communicate if its an isolated vlan?
I have tested it out too and have confirmed your findings. The only way to add another “normal” host to the 500 VLAN is to configure it as a promiscuous port as well. Even if you configure two other ports simply as access ports on VLAN 500, they will not communicate with each other. From the moment VLAN 500 is configured with the private-vlan commands, it can only function with the appropriate private VLAN commands.
After doing some research, I was unable to find any indication that the WLC is capable of using private VLANs. Typically, each SSID is configured on a per VLAN basis, and any routing needed between VLANs will be performed by a router on the network.
I understand the logic behind using private VLANs for particular SSIDs, however, the capability of isolating one wireless host from another is accomplished much more elegantly using the built-in peer to peer blocking option which disallows users from having direct access to other wireless clients even if they are on the same SSID, VLAN, and subnet. You enable this feature with a simple click in the GUI.
For wired IoT devices, you will need to use private VLANs if you want to achieve the same kind of isolation.
Would i push out the existing isolated private vlan = eg 602? to the WLC (is this even possible) or would it be an entirely seperate VLAN\network and just enable the peer to peer blocking and control wireless to wired acces via ACL, assuming they didn’t need L2 adjacency (would this be best accomplished directly on the WLC or durhter up on the core where our current ACL’s reside? )
If tey needed to talk to other members of the community vlan , is it possible to publish the SSID for the community vlan (withthe possibility for future community vlans at a later time). Or in this case if communication is needed between wired\wireless in the same vlan , it’d probably just be best to stand up a normal vlan and do away with the private community vlan.
I appreciate the time you took to make your question clearer with the diagrams and explanation, I believe I understand better what you want to do.
One solution is to separate the wired network from the wireless network and make them two different subnets. That way, you can apply PVLANs to block L2 traffic on the wired portion, PTP setting on the WLC to block L2 traffic on the wireless portion, and ACLs to block traffic between the two subnets. This is probably the simplest and most straightforward solution.
Alternatively, it would be possible to connect the WLC to an interface on the switch that is configured to be in promiscuous mode on the primary VLAN of the PVLAN config. That way, both wired and wireless IoT devices would remain on the same L2 segment, however, this would enable communication from a wireless IoT device on the primary VLAN to a wired IoT device on a community or isolated PVLAN.
What would solve this (and I’m thinking out loud here) is to connect the WLC directly to an isolated or a community private VLAN so that its wirelessly connected devices are subject to the same communication limitations as wired devices on the PVLANs. Without actually having implemented this, it sounds like a viable solution, assuming the connection between the WLC and the switch is an access connection and not a trunk. Although “router on a stick” or in this case “WLC on a stick” can be configured with the primary VLAN of a PVLAN configuration, I don’t believe it is possible to send a secondary VLAN over such a link in that way. This of course would limit your implementation to only a single subnet on that particular WLC.
Until some of these are actually attempted in real life, it is difficult to be sure what the behavior would be. Hopefully, some of this will have inspired you to do some experimentation and troubleshooting. If you do, let us know how you get along…
A private VLAN, as compared to a regular VLAN, is simply a VLAN that has some additional restrictions concerning which ports it can communicate with at Layer 2.
A regular VLAN can communicate at Layer 2 with hosts on any port assigned to the same VLAN.
Private VLANs have further restrictions based on several types of VLANs and ports that can be configured: community VLANs, isolated VLANs and promiscuous ports. As stated in the lesson:
Community VLAN: All ports within the community VLAN are able to communicate with each other and the promiscuous port.
Isolated VLAN: All ports within the isolated VLAN are unable to communicate with each other but they can communicate with the promiscuous port.
Both private VLANs and regular VLANs can communicate with any other VLANs via routing, using a default gateway.
Yes it is true that you can achieve similar results using access lists, however using private VLANs would be easier to manage. You can define restrictions based on VLAN IDs, and place the appropriate VLAN IDs on the ports you want. If you were to apply access lists, you would have to ensure that the IP addresses in those lists are updated correctly. What if a host gets an IP address from a DHCP server? That address may change at any time, and you would have to update the access list appropriately, which is not manageable. However, having a particular host on a particular VLAN can be achieved easily, regardless of the IP address of the host.
So there are situations in which private VLANs are more appropriate and manageable than using access lists.
Hello Laz ,
Thank you for your Constant Support . do we need a different IP Subnet for each secondary Vlan inside a Primary Vlan ? or we have only one Subnet for a Primary Vlan and all Secondary Vlans use this Layer 3 Subnet ip ?
the Question is about your previous Text on a Router on Stick connected to a promiscuous port:
“so that all hosts within all community and isolated VLANs will be able to reach the subinterface of the router and use it as the default gateway.”
Typically, all the hosts within a primary VLAN will be in the same subnet. Thus, all hosts within all secondary VLANs should have the same subnet. Remember, private VLANs provide a method of preventing communication between hosts that are on the same subnet.
My previous statement was simply stating that no matter what kind of secondary VLAN the hosts exist in, the default gateway should always be connected to a promiscuous port in order for the hosts to communicate outside of their own subnet, or outside of the primary VLAN, and not with each other. Does that make sense?
When the non-operational type appears, this means that there is a problem with the configuration. Make sure that you have configured your primary and your secondary VLANs correctly.
The only other issue is if the platform you are using supports private VLANs. The IOS may, but if the hardware is a 3550 for example, it won’t work. Check out Cisco’s Feature Navigator to see if your IOS and platform support the feature.
If I change this to a “switchport trunk private-vlan promiscous” then I loose connectivity to my 401-405. Without the statement, I don’t have 410(411/412) working. Is there any way to allow both over this cable or am I stuck with trying to make two cables to the device (one that deals with my private VLANs and the other than deals with normal vlans)?
If you want to carry both private and regular VLANs across a trunk, the best thing to do is to simply configure the trunk as you usually would, allowing all of the VLANs, including regular, primary, community, and isolated VLANs. Don’t use any private VLAN configuration on the trunk itself. As stated in this Cisco documentation:
Note: Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.
Also, as stated in this documentation when you configure private VLANs across multiple switches, they are sent just like any other VLANs, but they must be manually configured on both switches, or you must use VTP3 which supports private VLANs.
Finally, if you use a promiscuous trunk, you must keep in mind what such a trunk does to the VLAN IDs when they are sent through it. The following Cisco community post describes very clearly what happens in such cases:
I’m not completely sure what you want to achieve here with DHCPv6 and your isolated VLANs. In general, keep in mind that in order to get all hosts in all VLANs (primary, community, and isolated) to receive their IPv6 addresses via DHCPv6, the DHCP server must exist on the primary VLAN, and DHCP messages should enter the PVLANs on a promiscuous port. Otherwise, your hosts within an isolated VLAN will not be able to receive any DHCP messages.
In the event that you have multiple switches with trunks, you must first make sure that all the switches involved are PVLAN-aware. You must also ensure that you are configuring both switches correctly. Take a look at this NetworkLessons note on trunking Private VLANs for more info.
Can you give us some more information about your particular topology and the ultimate goal you want to achieve? That way we will be able to help you further.
After a short search, I have seen that some people have been successful in creating a GNS3 topology with private VLANs. I believe that the GNS3 forum is an excellent source for solutions to these types of problems. For example, take a look at this post that shows a topology with private VLANs on GNS3. https://www.gns3.com/marketplace/labs/private-vlan
In the past private VLANs were not configurable on GNS3 but recent updates have allowed it. I suggest you do a little bit of research to further examine where the problem is in your topology.