The configuration on the interfaces connecting SW1 and SW2 are configured as trunks that include VLANs 500 501 and 502. Although we are not told in Rene’s diagram which interface this connection is on, let’s assume that it’s Fa0/5. The configuration for these interfaces can be seen below:
My question is, is there any way you can use static route if you still want to have connectivity between community vlan and isolated vlan ? if so, can you please provide an illustration example ?
Sorry for the late reply. Your question is a good one! First of all, let’s clarify that the functionality of PVLANs is at layer two, that is, it functions using switch ports as criteria to allow and disallow communication. Layer three IP addressing and routing does not come into play. All hosts within the primary VLAN, the secondary Community VLAN and the secondary Isolated VLAN are in the SAME subnet. That means that, if no private VLANs were configured, they would all be on the same VLAN and they would communicate with each other WITHOUT routing.
Adding the private VLAN functionality essentially segregates the VLAN into parts using only layer two functionality. That is, specific ports can speak with each other and others cannot. Routing does not come into play at all.
Having said all that, the answer to your question is no, static routing cannot be used to allow connectivity between a community and isolated VLAN. Actually, there is no way to create an exception to allow an isolated VLAN to communicate with a community VLAN. If you want a host on an isolated VLAN to communicate with the community VLAN, then just change the VLAN of its port to the community VLAN.
I have question - I am trying to figure out how SVI’s and vlans work , is it possible to have 2 instances of the same Vlan number on cisco swtches ?
for instance can I create int vlan 10 2.2.2.2 /24 and int vlan 10 3.3.3.3 /24 on the same box.
If you were to enter those commands, you would essentially define the IP address of VLAN 10 as 2.2.2.2 and then you would redefine it as 3.3.3.3.
So, the answer to your question is no. Each SVI must have a unique VLAN number, as must every VLAN configured in a switch.
You can however have an SVI on VLAN 10 on switch 1 and have a second SVI on VLAN 10 of a neighbouring switch, and configure each of those with a separate IP address.
For example, if SW1 and SW2 are connected via an access port on VLAN 10, you can configure interface VLAN 10 on SW1 with an IP address of 2.2.2.2/24 and interface VLAN 10 on SW2 with an IP address of 2.2.2.3/24. Notice that these are both in the same subnet of 2.2.2.0/24. If they were not, then in most cases this would be considered a misconfiguration as they would not be able to communicate with each other. Also, because SVIs are usually used as default gateways for the hosts on the VLAN, the hosts on the subnet would not be able to communicate correctly with their default gateway.
Hi Rene I know this is a Private VLAN on a Catalyst switch, but have you configured Private VLAN on a Cisco Small Business SG300 switch. I am looking to configure most of the ports as isolated ports and then a trunk to other switches with isolated ports and also a uplink to a another switch towards the core router I am having problems configuring the trunk links and need help
I have been able to get a private VLAN working across 2 SG300 switches. The only issue i have is is setting up a promiscuous trunk port on the SG300 as there does not seem to be a option to set this up on the SG switch.
The Promiscuous trunk port is only supported on the Catalyst 4500 and 6500 series and their successors. However, that being said, it is probably not necessary for you to do this. As Cisco says,
“PVLAN promiscuous trunks are used in situations where a PVLAN promiscuous host port is normally used, but where it is necessary to carry multiple VLANs, either normal VLANs or multiple PVLAN domains. You can connect to an upstream router that does not support PVLANs, such as a Cisco 7200 router.”
You should use standard trunk ports if both switches that use trunking support PVLANs.
So if you’re using two SG300s, you don’t need to configure a promiscuous trunk port since both devices support PVLANs. Just use a standard trunk connection between them and configure the access ports on other switch to be community, promiscuous or isolated as you would do if you had only one switch.
Hi, i have a question regarding the syncing of private VLANS across VTP v3. It’s stated that you must configure the switch to use transparent mode while using private VLANS, but on the VTP v3 page it states that you can sync up private VLANS. I’m just wondering how this is possible when using transparent mode on the switches?
Until VTPv2, the common practice was to create private VLANs only on transparent switches because VTP didn’t support the transmission of private VLAN information between VTP switches. This was best practice so that other switches wouldn’t be flooded with unnecessary private VLAN traffic. Thus, older documentation states that private VTPs should be implemented manually on a transparent switch only.
With the advent of VTPv3, private VLANs are now transmitted via VTP, so you no longer have to adhere to this best practice. So, you can create private VLANs on VTP servers without hesitation if you are using VTPv3 and all your switches support this version.
I have users connected to layer 2 switches and this layer 2 switches connect to CORE layer 3 switches with 20 SVI, I would like to protect Human Resources SVI from other SVIs been able to reach or try to connect to it but I need IT Department to be able to reach Human Resources. Do you use PVLAN or Access-List and please provide a configuration example.
If you want to restrict traffic like this, I would add access-lists on the SVI interfaces. PVLANs are useful when you have devices in the same VLAN but you want to restrict them. An example could be a hosting provider that uses one VLAN for servers and you want to prevent traffic between two servers from different customers.
ACLs on switches can be tricky though. They are not stateful so if you want to permit traffic from IT > HR but deny traffic from HR > IT, that will be difficult. Normally you can use reflexive access-lists for that but usually, only routers support this.
An alternative to the reflexive access-list is using the “established” option in access-lists. This checks for the ACK flag in TCP segments. It works for TCP, but that’s it.
If you just want to deny traffic from different VLANs to HR and traffic between HR/IT is no problem, then it’s easy.
You could try something like this. Imagine we have three VLANs:
Human department: VLAN 10 - 192.168.10.0/24
Engineering: VLAN 20 - 192.168.20.0/24
IT Department: VLAN 30 - 192.168.30.0/24
Here’s an access-list:
SW1(config)#ip access-list extended INBOUND_HR
SW1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 any
SW1(config-ext-nacl)#deny ip 192.168.0.0 0.0.255.255 any
SW1(config-ext-nacl)#permit ip any any
SW1(config)#interface vlan 10
SW1(config-if)#ip access-group INBOUND_HR in
This ACL permits traffic from the IT department, denies traffic from any other VLAN and then permits anything else (Internet traffic).
Hi Rene and staff,
thanks for your work
In this lesson, i am quite lost because i cannot lab these things with GNS3
Can i summarize things in this way:
on a single SW you can have many promiscuous ports for one single primary vlan
when a same primary vlan is set on 2 SW linked by a trunk
in what case a normal trunk (switchport mode trunk) is sufficient ? in this case could you confirm that there is only one single promiscuous port on the uplink SW
are there any other cases (when SW are linked) in which you could have 2 promiscuous ports, one on each SW ?
To summarize, please could you clarify setting and operational modes on ? ports
That is what i try to understand because (learning private-vlan from scratch), i cant see in the lesson that there are two types of promiscuous ports: access and trunk
In the first example (one single SW) when you show fa0/24 switchport you cannot see if the operational mode is access or trunk
It is easy to suppose it is access because there is a server S1 behind fa0/24
But how can you troubleshoot if the show command doesnot output if it is access or trunk ?
As for your questions about the differences between the statements in the forum, yes, you’ve got it, it has to do with access or trunk ports. It wasn’t made clear originally, but thanks for pointing that out.
Yes it is interesting that it doesn’t show up in the output, however, you can determine if a port is a trunk or access port by other means, so it just means that you’ll have to do a little more investigating for troubleshooting purposes.
Also, thanks for pointing out the error in my previous post, I have since corrected it.
thank you Laz, yes it is helpful (as usual)
I read carefully the content of the link you provided in the forum
It seems that lesson give only basic private-vlan configuration: am i right ?
i suppose this is all we have to know for CCNP certification , but CCIE ? (and the real life ?)
I understand Promiscuous (access) port: OK
But i do not understand very well promiscuous vlan trunk port (i found in the link above) and that is frustrated me !
Could you clarify with a used case ? (perhaps in the future in a new lesson ?)
I bought 2 x SW 3570 (used) for my certification but i cannot lab it (command switchport private-vlan trunk promiscuous is not available)
