• Skip to main content
  • Skip to primary sidebar
  • Skip to footer

securitywing

Menu
  • About
  • Must Read
      • IIS Performance Boost
      • RFID Security
      • Web App Security Testing
      • How to Secure Home Network
      • Prevent Cross-Site Scripting Attacks
      • Renew Self-Signed Certificates
      • Penetration Testing Tools
      • VPN Concentrator
      • Forensic Investigation Tools
      • Digital Certificates
      • Cloud Security Issues
      • Advanced Evasion Prevention
      • Firewall Types
      • Tips to Prevent Data Exfiltration
      • Classified Info Handling
      • MySQL Security
      • Definition of 7 Types of Malware
      • VOIP Security
      • Why Antivirus Software Fails
      • 15 Network Security Vulnerabilities
      • Web App Security
      • IT Security Standards
      • Types of Virtualization
      • Android Security
      • Digital Signature
      • Advanced Malware Protection
    • Close
  • Consultancy
  • Contact

How to Configure Cisco Private VLANs in 4 Easy Steps

by wing

Concept of private VLAN

A VLAN allows unrestricted traffic flow among the hosts within the VLAN. When a packet is sent from a host to a destination machine within a VLAN, the switch sends that packet only to the destination host machine, not to every other host in the VLAN. But when a broadcast traffic is sent by a host machine, all other hosts in the VLAN receive the broadcast packets.

Why do we need privateVLAN?

Sometimes, you may want to segment traffic in your switch without creating multiple VLANs and having to use a router. For instance, if you have a number of servers in your network that you do not want to communicate to each other but want them to communicate to other networks/subnets or Internet via a common gateway you can create a private VLAN for each server and then assign them to the primary VLAN. The servers in the private VLAN remains isolated from each other but they all can use the common gateway to reach other subnets.

To create a private virtual LAN, at first, you need to create a primary or normal VLAN, which means a private VLAN only works with a normal VLAN. Each private VLAN must be associated with a normal/primary VLAN. Remember that private VLANs are also known as secondary VLAN.  When you associate a server with a private VLAN, the server can communicate with ports that are associated with the primary VLAN, but not with other private VLANs that are part of the same primary VLAN.

Now, that you have the basic understanding of private VLAN, you can move on to creating private VLANs, but before that  you need to remember that private VLANs can be configured in three different modes:

  1. Isolated
  2. Communicate
  3. Promiscuous

When you create private VLANs in isolated mode, they can reach on the primary VLAN, but not the other secondary VLANs. On the other hand, the hosts associated with a community VLAN can communicate with each other and the primary VLAN.  They will not be able to communicate with other private VLANs though.

The switchport that connects to the router, firewall or other devices must be configured in promiscuous mode. Any port configured in promiscuous mode can communicate with all other ports regardless of the fact if the ports are associated with primary or secondary VLANs.

Points-to-remember

  1. All private VLANs must be associated to a primary/normal VLAN.
  2. VTP (VLAN trunking protocol) does not propagate private VLAN information.
  3. Isolated and community VLANs can only access the promiscuous ports.

cisco private vlans and primary vlansThe four steps to create private VLAN

  1. Create a primary vlan

Switch1 (config) # vtp mode transparent

Switch1 (config) # vlan 200

Switch1 (config) # private-vlan primary

Switch1 (config) #exit

  1. Create private VLANs

Swtich1 (config) # VLAN 205

Swtich1 (config-vlan) # private-vlan community

Swtich1 (config-vlan) #exit

Swtich1 (config) # vlan 210

Swtich1 (config-vlan) # private-vlan isolated

Swtich1 (config) # exit

Next, associate private VLAN with the primary VLAN using the following command:

Swtich1 (config) # vlan 200

Swtich1 (config-vlan) # private-vlan association 205, 210

 

  1. Add interfaces to the VLANs

Swtich1 (config) # interface fa0/1

Swtich1 (config-if) #switchport mode private-vlan host

Swtich1 (config-if) #switchport private-vlan host-association 200  205

Swtich1 (config) #exit

Swtich1 (config) #interface fa0/2

Swtich1 (config-if) # switchport mode private-vlan host

Swtich1 (config-if) # switchport private-vlan host-association 200 210

Swtich1 (config) #exit

 

  1. Configure promiscuous mode and mapping

Swtich1 (config) # interface fa0/3

Swtich1 (config-if) # switchport mode private-VLAN promiscuous

To associate the promiscuous port to the private VLANs use the following command.

Swtich1 (config-if) # switchport private-vlan mapping 200 205, 210

Swtich1 (config) #exit

Swtich1# show private-vlan

Swtich1# show vlan private-vlan  type

Related Posts:

  • Site to Site VPN Between Cisco VPN Concentrator and Router
  • Cisco Router Security Check for Auditor
  • Cisco VPN Configuration in IOS Routers
  • Access Control List Configuration on Cisco Router

Filed Under: Network Security Tips Tagged With: cisco, private vlan

Primary Sidebar

CISSP Sample Test

Take a CISSP Sample Test

CISA IT governance Sample test



Twitter Follow @securitywing

Categories

  • AWS
  • containers
  • Internet Security and Safety
  • IS Audit
  • IT Security Exams
  • Network Security Tips
  • Off Track
  • Telecom
  • Tutorial

Pages

  • About
  • Best IT Security Certification Exam
  • CISA IT governance Sample test
  • CISA Sample Test
  • CISSP Sample Test Online
  • Consultancy
  • Contact

Popular Posts

  • 8 Effective Ways to Impro...
  • Yahoo Mail Security Setti...
  • 3 Steps to Install Miniku...
  • How to Setup AWS CloudFro...
  • 3 Simple Steps to Capture...
  • 5 Steps to Setup a Nexus3...
  • How to Configure AAA (TAC...
  • How to Configure SNMP in...
  • How to Install AWS CLI an...
  • How to Renew Self-Signed...

Footer

Copyrights

Protected by Copyscape Duplicate Content Detection Software

Securitywing.com reserves the copyrights of all of its published articles.No contents of this site is permitted to be published to anywhere else in the Internet.If any contents are found in any other websites, securitywing reserves the rights to file a DMCA complaint. But you have the right to use the link of any relevant article of this site to point from your website if you consider that it might improve the quality of your article.

Tags

antivirus audit AWS backup browser check cisco cloud computer cyber data database encryption firewall home hsrp ids informaiton internet intrusion it kubernetes linux load balancing malware network protection putty risk router security security tips server ssh SSL switch tools virus vpn vulnerability web webserver website windows wordpress

Copyright © 2010-2023 ·All Rights Reserved · SecurityWing.com