Switchport Mode Private-Vlan

Hi guys i am back was stuck in some office work. As per the heading we are discussing Private-Vlans today,
First of all Why we use Private Vlans in our switches? ,
even before why we even use Vlans in our switches?

Vlan is a Virtual LAN(Local Area Network) as in the cisco environment the name
is the recipe,as we all know from our CCNA studies that switches have multiple
Collision domains but a single Broadcast domain,VLAN is a broadcast domain
created by switches,normally , it is router creating that broadcast domain.
So by creating Vlans we are splitting our single default broadcast domain into
multiple broadcast domain by different vlans that will further used by different
ports and by different group of peoples to communicate with each other.
Note:-We still need a layer 3 device to communicate between these vlans.

The private vlan further split this single broadcast domain used by a single
Vlan into multiple isolated broadcast subdomains , that is defined by primary
Vlan and its secondary Vlans.It simply means that even if you are in a single
vlan (broadcast domain) you may or may not talk to each other,example in a
shared ISP co-location ,offices, hotels , where two hotel rooms may be in a
same subnet and in a same Vlan but should not talk to each other directly.

The theory about the Private VLANS is not much complicated rather implementation
may be confusing because Cisco uses different terms in this section to describe
Vlans and Ports.
NOTE:-Switch must be in TRANSPARENT mode to configure PVLANS.

Initially the ports are defined used in PVLANS.
There are 3 types of ports.
1.Promiscuous Ports:-Can talk to any port in a VLAN.
2.Isolated Ports:-Can ONLY talk to Promiscuous ports.
3.Community Ports:-Can ONLY talk to promiscuous ports and ports within their
community,cannot even talk to other different community ports.

First we create our secondary PVLAN and defined as community or isolated.
Example:-
vlan 300
private-vlan [isolated/community]

Then the primary parent vlan is defined and the PVLANs are associated with the
primary vlan.
Example:-
vlan 18
private-vlan primary
private-vlan association 300

After that we configure the interfaces that either they talk to each other or not
talk to each other.If we want a port to talk to each other then we configure that
port as a Promiscuous port,else we configure is as Host port.Here Host option
defines that this port should be either Community Port or Isolated port.

Example:-Suppose we want to configure that SW1 Fa0/6 and SW2 Fa0/8 on vlan 18
cannot talk to each other while the Router1 connected to SW1 Fa0/4 can still talk
to each other and vice-versa.The sample topology will be found by clicking PVLAN,
the diagram is just for reference not made professionally, kindly tolerate πŸ™‚

PVLAN

Here the configuration look like this.
On Both SW1 and SW2
β€”β€”β€”β€”β€”β€”-
vlan 300
private-vlan isolated

vlan 18
private-vlan primary
private-vlan association 300

On SW1:-
β€”β€”
Interface FastEthernet0/4
switchport access vlan 18
switchport mode private-vlan promiscuous
switchport private-vlan mapping 3 300

Interface FastEthernet0/6
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

On SW2:-
β€”β€”-
Interface FastEthernet0/8
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

We can check the configuration of PVLAN by:-
Show interface FastEthernet0/4 switchport | include private

For further studies on PVLANΒ  you can go here

Leave a Reply

Your email address will not be published. Required fields are marked *