Hi Ahmed,
This is not needed, the mapping is done with the private VLAN commands.
Rene
Hi Renee ,
i am currently using a cisco 3750 switch for private vlans and i have configured vlan 100 (primary) 101 (isolated) and 102 (community) and also vlan 200 (primary) 201 (isolated) and 202 (community) and assigned these to the relevant ports however i am trying to use int fa1/0/24 as a promiscuous port however when using the show vlan private-vlan command i get the below ;
primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 isolated Fa1/0/1, Fa1/0/2
100 102 community Fa1/0/5
200 201 community Fa1/0/3, Fa1/0/24
200 202 isolated Fa1/0/6, Fa1/0/24
why is the promiscuous port only mapped to the primary and secondary vlan 200 and not the primary and secondary vlan 100 ?
thanks for your detailed and well explained article above as it has helped me however my only concern is the above question thanks.
Zahir,
I believe your issue is that you are trying to have a single physical port be part of more than one primary VLAN. Cisco says this is not allowed. When you configured 1/0/24 as part of the 200 primary vlan, it lost its ability to be associated with your secondary vlans associated with VLAN 100.
To test this theory, simple reverse the order in which you enter the config, so that you start with the 200 vlans, then do the 100s. The end result should be the opposite.
Here is a Cisco article that talks about this, and the most relevant parts are:
A promiscuous port can serve only one primary VLAN and multiple secondary VLANs (community and isolated VLANs).
You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN
hi Andrew,
thanks for your prompt reply, that clears things up. i assumed we should be able to trunk more than 1 primary vlan over the promiscuous port due to beimg able to use 802.1q looks like a mistook this for normal vlan trunking.
Hlw Rene,
Great,clear and concise ! One questionsâŚ
What is the objective of Private Vlan and which network scenario will we use private vlan ?? Many Thanks
br//
zaman
Zaman,
An example of when private vlans might be used would be in a shared hosted environment, where multiple customers are using the same address space, but they should not be allowed to communicate directly with each other. In this case, the providerâs gateway would be set as the primary/promiscuous port, and the customers would be set either as community or isolated depending on the customersâ needs.
Wikipedia has section that talks about use cases for private vlans here:
https://en.wikipedia.org/wiki/Private_VLAN#Use_cases
Hello Rene/ Andrew, how do you configure private VLANs in GNS3? Tried to forge a router, which allows VLAN creation but not private VLAN. Which specific IOS image?
Hi Rene/ Andrew, I tried to emulate this in GNS3 router as a switch but does not let me create private VLAN. Is there any specific IOS for the purpose or I am missing something?
Parajuli,
Unfortunately, Private-VLANs is one of those topics that is not supported either on GNS3 or VIRL I believe. In this case, you will either need to get your hands on real gear, or do a rack rental via INE or IPExpert.
Hello Rene,
i exactly did the lab but im having some issues, the isolated vlans are able to ping each other, i even did it 2 times and copy and paste your commands and same issue!!! im using GNS3 IOU for this as well. Please any advice?
thanks
Eng,
Check out my reply above your comment -----^
Private vlans and GNS3 donât mix with my testing.
Hi,
As you told â Configuring private VLANs requires us to change the VTP mode to Transparent.â
Can you pl tell the reason ?
Changing VTP to transparent mode is really only required if VTP version 1 or 2 is being used. The reason is because those VTP modes donât support the higher VLAN ranges used for PVLANs.
Starting with VTP version 3, however, Private VLANs are not only supported by the configuration is also propagated by VTP. If you are curious, there is a Network Lesson on VTP Version 3
Hi,
In a multilayer switch how the configuration look like ?
Thanks
Hello sims
The configuration of private VLANs in a multi-layer switch would be exactly the same.
Laz
Hello Rene,
Would you please let me know if I can configure multiple trunk ports in a switch as promiscuous ports for a single primary vlan? Also can a single trunk port be configured as a promiscuous port for multiple primary vlans? If so, please explain.
Thank you so much.
Azm
Hello Azm
Yes, it is possible to configure multiple trunk ports as promiscuous ports for a single primary VLAN. You would configure this if you want to span a primary VLAN over three switches for example.
Secondly, it is possible as well to configure a single trunk port as a promiscuous port for multiple primary VLANs. This again, would be the case if you have multiple primary VLANs that you want to span over more than one switch. Specifically, Cisco states:
Multiple private VLAN pairs can be specified using the switchport private-vlan mapping trunk command so that a promiscuous trunk port can carry multiple primary VLANs.
Also, Cisco states:
The maximum number of unique private VLAN pairs supported by the
switchport private-vlan mapping trunkcommand is 500. For example, one thousand secondary VLANs could map to one primary VLAN, or one thousand secondary VLANs could map one to one to one thousand primary VLANs.
However, keep the following guidelines in mind:
- According to Cisco, if you are using private VLANs and you want to span them over several switches, âYou should use standard trunk ports if both switches undergoing trunking support PVLANs.â
- You would use promiscuous trunk ports only in the case where you are connecting to a switch that does not have PVLAN capability. You can find more on this in Ciscoâs official documentation.
I hope this has been helpful!
Laz
1 Like
Hello Laz,
Very nice explanation as usual. Thank you so much.
Azm
1 Like