Concept of private VLAN
A VLAN allows unrestricted traffic flow among the hosts within the VLAN. When a packet is sent from a host to a destination machine within a VLAN, the switch sends that packet only to the destination host machine, not to every other host in the VLAN. But when a broadcast traffic is sent by a host machine, all other hosts in the VLAN receive the broadcast packets.
Why do we need privateVLAN?
Sometimes, you may want to segment traffic in your switch without creating multiple VLANs and having to use a router. For instance, if you have a number of servers in your network that you do not want to communicate to each other but want them to communicate to other networks/subnets or Internet via a common gateway you can create a private VLAN for each server and then assign them to the primary VLAN. The servers in the private VLAN remains isolated from each other but they all can use the common gateway to reach other subnets.
To create a private virtual LAN, at first, you need to create a primary or normal VLAN, which means a private VLAN only works with a normal VLAN. Each private VLAN must be associated with a normal/primary VLAN. Remember that private VLANs are also known as secondary VLAN. When you associate a server with a private VLAN, the server can communicate with ports that are associated with the primary VLAN, but not with other private VLANs that are part of the same primary VLAN.
Now, that you have the basic understanding of private VLAN, you can move on to creating private VLANs, but before that you need to remember that private VLANs can be configured in three different modes:
- Isolated
- Communicate
- Promiscuous
When you create private VLANs in isolated mode, they can reach on the primary VLAN, but not the other secondary VLANs. On the other hand, the hosts associated with a community VLAN can communicate with each other and the primary VLAN. They will not be able to communicate with other private VLANs though.
The switchport that connects to the router, firewall or other devices must be configured in promiscuous mode. Any port configured in promiscuous mode can communicate with all other ports regardless of the fact if the ports are associated with primary or secondary VLANs.
Points-to-remember
- All private VLANs must be associated to a primary/normal VLAN.
- VTP (VLAN trunking protocol) does not propagate private VLAN information.
- Isolated and community VLANs can only access the promiscuous ports.
The four steps to create private VLAN
- Create a primary vlan
Switch1 (config) # vtp mode transparent
Switch1 (config) # vlan 200
Switch1 (config) # private-vlan primary
Switch1 (config) #exit
- Create private VLANs
Swtich1 (config) # VLAN 205
Swtich1 (config-vlan) # private-vlan community
Swtich1 (config-vlan) #exit
Swtich1 (config) # vlan 210
Swtich1 (config-vlan) # private-vlan isolated
Swtich1 (config) # exit
Next, associate private VLAN with the primary VLAN using the following command:
Swtich1 (config) # vlan 200
Swtich1 (config-vlan) # private-vlan association 205, 210
- Add interfaces to the VLANs
Swtich1 (config) # interface fa0/1
Swtich1 (config-if) #switchport mode private-vlan host
Swtich1 (config-if) #switchport private-vlan host-association 200 205
Swtich1 (config) #exit
Swtich1 (config) #interface fa0/2
Swtich1 (config-if) # switchport mode private-vlan host
Swtich1 (config-if) # switchport private-vlan host-association 200 210
Swtich1 (config) #exit
- Configure promiscuous mode and mapping
Swtich1 (config) # interface fa0/3
Swtich1 (config-if) # switchport mode private-VLAN promiscuous
To associate the promiscuous port to the private VLANs use the following command.
Swtich1 (config-if) # switchport private-vlan mapping 200 205, 210
Swtich1 (config) #exit
Swtich1# show private-vlan
Swtich1# show vlan private-vlan type
