↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Primary VLAN
  • Secondary VLANs
  • Isolated VLANs
  • Community VLANs
  • Private VLAN Ports
  • Promiscuous Ports
  • Isolated Ports
  • Community Ports
  • Mapping Secondary VLANs to Primary Layer3 VLANs

Was this helpful?

  1. Layer 2 Technologies
  2. Ethernet Switching

Private VLANs

Private VLANs partitions a regular VLAN domain into subdomains. Such a subdomain is created when a primary VLAN is paired with a secondary VLAN. Only a switch in VTP Transparent mode supports Private VLANs

Primary VLAN

To set a VLAN as Primary VLAN, use:

Sw(config)#vlan VLAN-ID
Sw(config-vlan)#private-vlan primary

After the secondary VLANs are configured, they are associated with the primary VLAN, using the following confing form withing the primary vlan:

Sw(config)#private-vlan association [add|remove] SECONDARY-VLAN-LIST

To verify, use:

Sw# show vlan private-vlan [type]

Secondary VLANs

Secondary VLANs can be condfigured as Isolated or as Community VLANs. Private VLANs work over different switches, as long as the Private VLANs and the primary VLANs are carried over the trunk links.

Isolated VLANs

Ports within the isolated VLAN cannot communicate with each other at Layer.

Sw(config-vlan)# private-vlan isolated

Community VLANs

Ports within the Community VLAN can communicate with ports in the same Community VLAN but not with ports in other Community VLANs or with ports in the Isolated VLAN.

Sw(config-vlan)# private-vlan community

Private VLAN Ports

To configure a port as part of a private VLAN, use:

Promiscuous Ports

A promiscuous ports belongs to the primary VLAN and can communicate with all interfaces in the primary VLAN, including ports in the isolated and community secondary VLANs. To set up a promiscuous port, use:

Sw(config-if)# switchport mode private-vlan promiscuous
Sw(config-if)# switchport private-vlan mapping PRI-VLAN-ID {add|remove} SEC-VLAN-LIST
!The promiscuous port must be mapped to one or more Secondary VLANs

You can also map the VLANs to a promiscuous port using:

Sw(config-if)# switchport private-vlan association mapping PRI-VLAN-ID {add|remove} SEC-VLAN-LIST

Isolated Ports

It is a port that belongs to the Isolted Secondary VLAN. It can only communicate with promiscuous ports.To set an isolated port, use:

Sw(config-if)# switchport mode private-vlan host
Sw(config-if)# switchport private-vlan host-association PRI-VLAN-ID SEC-VLAN-ID
!SEC-VLAN-ID must be an isolated VLAN

You can alos map the VLANs to a isolated port, using:

Sw(config-if)# switchport private-vlan association host PRI-VLAN-ID SEC-VLAN-ID

Community Ports

It is a port that is part of a Community Secondary VLAN and it can only communicate with other ports in the same Community or with promiscuous ports.To set a community port, use:

Sw(config-if)# switchport mode private-vlan host
Sw(config-if)# switchport private-vlan host-association PRI-VLAN-ID SEC-VLAN-ID
!SEC-VLAN-ID must be a community VLAN

You can alos map the VLANs to a community port, using:

Sw(config-if)# switchport private-vlan association host PRI-VLAN-ID SEC-VLAN-ID

Mapping Secondary VLANs to Primary Layer3 VLANs

To allow inter-vlan routing, the secondary VLANs must be mapped to the L3 SVI:

Sw(config)# interface vlan PRI-VLAN-ID
Sw(config-if)# private-vlan mapping [add|remove] SEC-VLAN-LIST

To monitor, use:

Sw# show interface private-vlan mapping
PreviousVTP 101NextVLANs

Last updated 3 years ago

Was this helpful?