Hello Dominique
Yes, that is indeed the case. Private VLANs can become more involved and may go beyond what is required for certification.
I believe a better description of promiscuous trunks can be found in this documentation. It explains standard trunks and compares and contrasts them with private VLAN trunks, including the promiscuous trunk and how they are used and configured.
I hope this has been helpful!
Laz
hi Rene and staff,
i am yet studying private-vlan as it seems not obvious for me
I lab my own topology with real 3750 and real PCs like below
PC1 can not ping PC2, because PC1 belong to secondary community 152 and PC2 belong to secondary community 153 as the port are in mode private-vlan host
From this topology my question is (just for investigating and understanding the concept of private-vlan): is it possible to add a configuration in which PC1 can ping PC2 with a L3 routing.
The GW of the PCs are inoperant because the PCs are in the same subnet
PC1âs GW is SVI 150 on SW-UP with IP 10.99.100.12
PC2âs GW is SVI 150 on SW-DOWN with IP 10.99.100.11
So âprivate-vlan mappingâ in sub command interface vlan 150 is inoperant
The case could be: all PCs plugged in SW-UP belong to 150/152 to prevent to communicate with PCs plugged in SW-DOWN as they are in community 150/153 (as a basic use of community) But we have to make one execption between PC1 et PC2
I hope you will understand my question
Regards
Hello Dominique
This is an excellent question as it helps to clarify the role and functionality of private VLANs. So if you have two community VLANs within the same primary VLAN, and all devices are in the same subnet, there is no way to create an exception for communication between PCs in one community VLAN to PCs in another. That is the purpose of creating these types of VLANs in the first place. If you would like to have such a configuration, you would use another mechanism such as ACLs and you wouldnât use private VLANs.
The only way to make something like this work is to have a device connected to the promiscuous port that does hairpin routing, that is, routing from one IP to another in the same subnet. In general, this is not good practice to implement, so to answer your question conclusively, no this is not something that can/should be done.
I hope this has been helpful!
Laz
Hi Rene, staff and students,
well, âŚfor me, private-vlan is not a concept as obvious as it seems
may i add some memo about private-vlan and could you agree or not ?
The main point to well understand is promiscuous ports
In my opinion, i noticed two cases for promiscuous ports:
First case
S1(config)#int f0/1
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 100 101-102
You can set only a single primary vlan in the mapping (this is like access/edge port). In this case, secondary vlans are isolated at L2 and they cant communicate (never)
Second case
In this case the promiscuous port works âlike trunk portâ
The configuration is
S1(config)#int f0/1
S1(config-if)#switchport mode private-vlan trunk promiscuous
S1(config-if)#switchport private-vlan mapping trunk 100 101-102
S1(config-if)#switchport private-vlan mapping trunk 150 151-152
In contrary with case 1, you can set many primary vlan in the mapping (this is like trunk). In this case, secondary vlans are isolated at L2, but they can communicate via L3 routing
Infortunatly, you cant lab case 2 with 3750 but only with a few SW like 4500 (?)
I hope you will agree this memo, but if not, thank you for your answer that will help me (and perhaps others) to understand private-vlan concepts
Best regards
Hello Dominique
Yes, you are absolutely correct. You have explained it very clearly, and I believe that this is a wonderful addition to the forum and to the lesson material.
As for the promiscuous trunk ports, yes, only 4500, 6500, 6800 series (and higher) support them.
Once again, wonderful explanation!
Laz
Hello,
whats the difference between the two commands?
SW1(config-if)#switchport private-vlan association host 500 501
SW1(config-if)#switchport private-vlan host-association 500 501
What does this mapping command? Does it mean that the traffic for the private VLANs will be redirected to the primary vlan?
interface FastEthernet0/24
switchport private-vlan mapping 500 501-502
switchport mode private-vlan promiscuous
Does that mean that the SVI is also receving the private VLAN tagged packets from the hosts? Will the SVI use the primary or secondary VLAN in the dot1q header to answer to the host?
interface Vlan500
ip address 169.254.100.1 255.255.255.0
private-vlan mapping 501,502
Thanks a lot.
Regards,
Lukas
Hello Lukas
Youâll find that both commands do exactly the same thing. If you implement one and then the other and examine the results, youâll find that the result is the same. Take a look at this context sensitive help:
SW(config-if-range)#sw private-vlan association host ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
SW(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
I donât know why Cisco has done this, but it could be that on some platforms only one of the two commands is available.
The mapping command tells the promiscuous port which VLANs are accessible via the promiscuous port. The first VLAN ID must be that of the primary VLAN, which is indeed 500, and the rest are the secondary VLANs, which can either be community or isolated VLANs. This means that FastEthernet 0/24 will be able to communicate with hosts in the community VLAN 501. Traffic will not be redirected, but will simply be accessible.
The configuration of the SVI is used if you want to have the SVI of the private VLAN function as a gateway. If this is the case, then you have to map the community and the isolated VLANs of the private VLAN to the interface so they can have access to the SVI interface, and in turn, the outside world. The configuration here simply indicates that both community and isolated VLANs have access to the specific SVI. Because hosts in VLANs 500, 501 and 502 are all in the same subnet, and thus in the same primary VLAN, no tagging takes place here. Tagging will only take place on a trunk port where the primary VLAN shares the trunk with other VLANs.
I hope this has been helpful!
Laz
Hello Laz,
your answer is awesome and really easy to understand. Thanks a lot.
Regards,
Lukas
I was wondering about the promiscuous port. Does it need to be connected to the same switch as a secondary vlan port? The impression that I got was an isolated port can only communicate with a promiscuous port. If the promiscuous port is on another switch how can it even travel through a trunk port?
Hello Justin
Private VLANs are able to span multiple switches. As a result, it is possible to have a promiscuous port of a private VLAN on one switch that corresponds to several ports (assigned to community and isolated VLANs) that exist on another switch. In order to achieve this, you will have to create a trunk between the two switches in question that will carry the primary VLAN, the secondary isolated VLAN and the secondary community VLAN. Although this is not found in the lesson, you can find out more about how this can be achieved at this Cisco documentation.
I hope this has been helpful!
Laz
If one PC from one community vlan400 cannot communicate to another community vlan 500,then it can communicate through promiscuous port of routerâŚHow to stop that?How to configure proxy acl on router?
Hello Sarang
If you have a setup similar to that which you describe above, and if you donât want a particular PC to communicate with some specific subnet, or even a specific device, then the solution to such a problem is to create an ACL on the router that is routing the traffic. You can specify source and/or destination IP in order to specify the particular traffic you want to filter. This application doesnât have to do with PVLANs, but with the traffic that is (or is not) allowed to cross the router.
I hope this has been helpful!
Laz
My book says: All secondary VLANs must be associated with one primary VLAN to set up the unidirectional relationship. Could you please explain this unidirectional relationship? Why unidirectional?
Should I assign the ports which are the member of secondary VLANs (host port) or primary VLAN (promiscuous port) to an access VLAN like in the example below or access VLANs are not relevant to PVLANs, so switchport mode access and switchport access vlan 10 commands do not have any effect?
vlan 10 private-vlan isolated vlan 20 private-vlan primary private-vlan association 10 interface fa0/1 switchport mode access switchport access vlan 10 switchport mode private-vlan host switchport private-vlan host-association 20 10
Thanks
Selim
Hello Fatih
When the term âunidirectional relationshipâ is used, it is referring to the way in which hosts within secondary private VLANs are capable of communicating with other hosts in the same secondary VLAN (in the case of a community private VLAN), as well as with host in the primary VLAN, but not with hosts in other secondary VLANs. The unidirectional nature just refers to the way in which traffic can freely flow from the primary towards all secondary VLANs (one direction) but not from a secondary VLAN to other secondary VLAN (the other direction). I believe it is a misleading use of the term. Wherever you see âunidirectional VLANsâ simply think âsecondary VLANsâ.
If you apply the configuration you have posted, then the âswitchport access vlan 10â command is ignored. From the moment that the switchport mode private-vlan host has been applied, only the switchport private-vlan host-association 20 10 command will be applied.
I hope this has been helpful!
Laz
Hi Sir,
Big fan of your teaching style ⌠It made my life much easier - big time 
I think, Private VLAN part should be taught first and then VTPV3 , I am a teacher myself and I took private and protected ports first following VTPV3 âŚthey grasped it in very better manner.
although , I donât have any issues, U rock âŚ
my gratitudeâ
Akshay Shinde âŚ
Hello Akshay,
Thank you for your kind words! This is what keeps me going to create more and more content
Iâll take a look at the order for the new CCNA and CCNP courses. Thanks for your input!
Rene
Iâve a question regarding Switch Fa0/24 Server access port.
Why did you use the âmappingâ keyword instead the âassociationâ keyboard youâve used on the host ports ?
SW1(config)#interface fa0/24
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 501
Why does âmappingâ mean?
SW1(config)#interface range fa0/1 - 2
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 500 501
Youâve used the host-association keyword instead of the mapping keyboard configured on the server port
Hello Juan
The reason why these two commands are different is because each one is employed for a different purpose.
When you configure a port using the switchport mode private-vlan host command, you are configuring the port to participate in the community VLAN. As a community VLAN, you must associate the port with a private VLAN. This is done using the host-association keyword and the primary and secondary VLAN IDs as shown. Here you can only indicate one primary, and one secondary VLAN ID.
When you configure a port using the switchport mode private-vlan promiscuous command, you are making this port promiscuous for all configured PVLANs. Using the switchport private-vlan mapping 500 501 command you are able to map this port to the primary VLAN, but also to one or more secondary VLANs. Remember, promiscuous ports can have access to some or all of the private VLANs associated with the primary VLAN. If you had additional secondary VLANs, the command could be switchport private-vlan mapping 500 501 502 503 where 500 is the primary VLAN and the rest are secondary VLANs.
I hope this has been helpful!
Laz
If a router would be added in the topology used in the lesson, would ports in the private VLAN be able to communicate with each other? Or would that defeat the purpose of private VLANs?
Hello Marit
Even if you have a router in the topology, there would be no change in the behaviour of the networks. Keep in mind that private VLANs control the exchange of traffic between hosts on the same subnet. This means that even if a router existed as a default gateway, the hosts would never use it when communicating with each other.
For example, if Host1 and Host2 are on the same isolated VLAN and had IP addresses of 10.10.10.11/24 and 10.10.10.12/24 respectively, and there was a router with an IP address of 10.10.10.1/24 which was the default gateway of both hosts, then any attempt at communication of the hosts with each other would never be sent to the default gateway. The IP addresses are in the same subnet, so a direct communication would be attempted. But at Layer 2, the isolated VLAN prohibits such communication, so it would fail.
To summarize, no the addition of a router would not make a difference to the behaviour of the private VLANs simply because such communication would never be directed to the router/default gateway.
I hope this has been helpful! Stay healthy and safe!
Laz