Private VLAN (PVLAN) on Cisco Catalyst Switch

senan.alkaaby · January 7, 2016, 1:05am

Hello Rene,

Just a question please, this lab is the same as PVLAN in Switching CCNP, but the course should be for CCIE, so i am a little confused , what did you add to this course as an CCIE ? or it is only a review for the PVLAN . can you please clarified ?

ReneMolenaar · January 7, 2016, 1:25pm

Hi Sinan,

That’s right, it’s the same lesson. There’s nothing more on CCIE-level that you need to know about private VLANs so I added it here as a review.

Rene

satishaluvalayahoo-c · February 1, 2016, 5:16pm

Why private VLAN’s are used?

ReneMolenaar · February 3, 2016, 12:46pm

Within a VLAN it’s hard to implement security, the private VLANs allows you to isolate traffic within a VLAN even more.

Openlearner · February 15, 2016, 10:19pm

Hi Rene,
Thanks for the explanation is very clear. My question is:
Who is going to use private vlans? If you can configure access-lists to block or allow traffic
I haven’t ever had to configure private-vlans but I had configure access-lists.
Please advise

andrew · February 16, 2016, 12:30am

Alfredo,
Private VLANs are often implemented in shared environments where multiple, independent entities need the same IP space, but should be isolated from each other (ISP co-location, for example). Access-lists won’t really work if you are trying to keep two machines isolated from each other within the same IP subnet, and MAC based ACLs can get messy.

–Andrew

artfabre88 · March 7, 2016, 3:13pm

Great tutorial, clear and concise.

jmwalker24 · March 27, 2016, 7:42pm

In your example to configure the promiscuous port…. You wrote:

SwitchA(config)#interface fa0/24
SwitchA(config-if)#switchport mode private-vlan promiscuous
SwitchA(config-if)#switchport private-vlan mapping 500 501

Can you have more than one promiscuous port? If yes - What if you wanted to include additional servers (additional ports). Let say you had 5 servers (fa0/20, fa0/21, fa0/22, fa0/23, fa0/24). Would you have to config each interface separately or could you just do something like this?

SwitchA(config)#int fa0/20 - 24
SwitchA(config-if)#switchport mode private-vlan promiscuous
SwitchA(config-if)#switchport private-vlan mapping 500 501

ReneMolenaar · March 28, 2016, 12:00pm

Hi Jason,

Multiple promiscuous ports is no problem. You can configure an entire range of interfaces like that but make sure you use the interface range command:

Switch(config)#interface range fa0/20 - 24
Switch(config-if-range)#switchport mode private-vlan promiscuous 
Switch(config-if-range)#switchport private-vlan mapping 500 501

Rene

jmwalker24 · March 29, 2016, 5:41pm

You have primary VLAN 500, community VLAN 501, Isolation VLAN 502… If all this (primary VLAN 500) had a layer 3 switch connection (promiscuous port)… would they be able to communicate through the Layer 3 switch?

ReneMolenaar · March 30, 2016, 7:39pm

Hi Jason,

That’s right. All that you need is an IP address that you can reach on the promiscuous port.

Rene

Fabian_Martinez1 · April 5, 2016, 1:28am

Hello,

I have a question can a secondary vlan communicate with another regular vlan? in other words a vlan that isnt configured as a primary?

Thanks

jmwalker24 · April 5, 2016, 8:45pm

Could you provide a description of the trunking configuration for that second diagram (SwitchA and SwitchB)?

ReneMolenaar · April 5, 2016, 9:14pm

@Fabian,

The secondary VLANs will only be able to communicate with the promiscious port, not with other VLANs. They are “trapped” in their primary VLAN.

@Jason,

I’ll add an example for this in a couple of days. I’ll post it here.

Fabian_Martinez1 · April 6, 2016, 3:14am

Hi Rene,

Let’s say we have a request to add a private vlan on an access switch. Access switch connects to core, core is connected to a firewall. In some cases, the SVI between the core and firewall are already configured as a normal vlan. If we add a primary vlan config under this interface (SVI) will it change it to a primary and a regular vlan? Is this possible? Or will it become a “primary” vlan for the secondary private vlan and loose its prior connfig? Whats the best method to implement a private vlan to an already existing access switch, that is connected in the same fashion I mentioned earlier without breaking anything? Assuming the SVI connected to the fireall is default gateway for hosts to the internet? I hope I correctly explained myself.

Thanks

ReneMolenaar · April 6, 2016, 8:10pm

Hi Fabian,

When you configure a VLAN as the primary VLAN then it will be primary. It can’t be the primary and “regular” VLAN at the same time. When you want to migrate to a private VLAN…do it when nobody is around, it’s easy to break stuff

Do you want to use private VLANs to prevent server-to-server traffic? If so, I would configure a new VLAN as the primary VLAN with some new secondary VLANs. Assign some unused switchports to it, see if it works. Configure the interface that connects to the firewall as the promiscuous port. When it works, you can assign the switchports from the servers in the “regular” VLAN to your new secondary VLAN.

Rene

Fabian_Martinez1 · April 16, 2016, 9:29pm

Great thanks Rene, ended up using a VACL instead as it wouldn’t break anything and wouldn’t require a change control. I’m sure this will come up eventually though

Thanks

ReneMolenaar · April 17, 2016, 12:28pm

Hi Fabian,

That’s good to hear.

Protected ports, VACLs and PACLs are great alternatives since they don’t require as much changes as private VLANs.

Rene

shantel · December 26, 2016, 10:48pm

19 posts were merged into an existing topic: Private VLAN (PVLAN) on Cisco Catalyst Switch

networkat · April 17, 2016, 5:47pm

do we have to run (switchport access vlan ##) on community or isolated ports?