Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4230
Views
10
Helpful
26
Replies

Private VLAN config

Andy White
Level 3
Level 3

‎03-18-2013 02:06 PM - edited ‎03-07-2019 12:19 PM

Hello,

I have a 3560 switch with 1 VLAN (VLAN 10) where I need to make ports:

1-10 as isolated (can't contact each other)

11-20 as community (need to contact each other like a normal VLAN)

23 as promiscuous (server that ports 1-20 need to get to)

24 as promiscuous (WAN router where ports 1-20 need to get to and the remote servers)

Is this roughly right based on some reading:

  1. Set VTP to transparent
  2. Create the secondary VLANs first

vlan 101

  private-vlan community

vlan 102

  private-vlan isolated

   3.  Create the primary VLAN

vlan 100

  private-vlan primary

  private-vlan association 101-102

Now the ports:

int range FastEthernet0/1 -10

description isolated ports

switchport private-vlan host-association 100 102

switchport mode private-vlan host

int range FastEthernet0/11 -20

description community ports

switchport private-vlan host-association 100 101

switchport mode private-vlan host

int FastEthernet0/23

description primary host port for server

switchport private-vlan mapping 100 101-102

switchport mode private-vlan promiscuous

int FastEthernet0/24

description primary host port for WAN router

switchport private-vlan mapping 100 101-102

switchport mode private-vlan promiscuous

Does that look about right?

I have also just attach a config of what I think it may look like.

Thanks

Labels:
15356597-3560.txt.zip
0 Helpful
26 Replies 26

Andy White
Level 3
Level 3
In response to paul driver

‎03-19-2013 01:28 PM

Yeah the attachment is just a text file that gets zipped.  Here is a snippet, they way I see it is I have a single VLAN 10 subnet and the Primary PVLAN is 100 with the secondary PVLANs as community 101 and isolated as 102.

VLANs

vlan 10

PVLANs

vlan 100

  private-vlan primary

  private-vlan association 101-102

vlan 101

  private-vlan community

vlan 102

  private-vlan isolated

Hosts

interface FastEthernet0/10

description isolated ports

switchport access vlan 10

switchport private-vlan host-association 100 102

switchport mode private-vlan host

spanning-tree portfast

spanning-tree bpduguard enable

interface FastEthernet0/11

description community ports

switchport access vlan 10

switchport private-vlan host-association 100 101

switchport mode private-vlan host

spanning-tree portfast

spanning-tree bpduguard enable

Server

interface FastEthernet0/23

description primary host port for server

switchport access vlan 10

switchport private-vlan mapping 100 101-102

switchport mode private-vlan promiscuous

spanning-tree portfast

spanning-tree bpduguard enable

WAN Router

interface FastEthernet0/24

description primary host port for WAN router

switchport access vlan 10

switchport private-vlan mapping 100 101-102

switchport mode private-vlan promiscuous

SVI

interface Vlan10

ip address 10.100.80.2 255.255.255.0

Routing

router eigrp 100

network 10.100.80.0 0.0.0.255

Does this seem ok?

Kind regards

0 Helpful

paul driver
VIP
VIP
In response to Andy White

‎03-19-2013 02:06 PM

Hello andy

Vtp mode transparent

PVLANs

vlan 100
private-vlan primary
private-vlan association 101-102

vlan 101
private-vlan community

vlan 102
private-vlan isolated



Secondary ports,..

switchport private-vlan host-association 100 101 / 102@
switchport mode private-vlan hosts
spanning-tree portfast
spanning-tree bpduguard enable


promiscuous ports

switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous
spanning-tree portfast
spanning-tree bpduguard enable

Res
Paul



Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White
Level 3
Level 3
In response to paul driver

‎03-19-2013 02:26 PM

But what happens to VLAN 10?  This is the part I don't understand, I'd like to keep VLAN 10.

Thanks

0 Helpful

paul driver
VIP
VIP
In response to Andy White

‎03-19-2013 12:44 PM

Hello andy

For the promiscuous ports

Switchport private-vlan mapping 100 add 101,102
Switch port mode private- vlan promiscuous



Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Andy White
Level 3
Level 3
In response to paul driver

‎03-19-2013 03:03 PM

I think it is almost working!

One thing that no longer works though is DHCP on the switch, I had to statically assign IPs, any ideas why this would be?

What happens to VLAN 10 as other mention removing this?  This is the part I don't understand, I'd like to keep VLAN 10.

0 Helpful

paul driver
VIP
VIP
In response to Andy White

‎03-19-2013 04:55 PM

Hello,

Vlan 10 is a normal vlan any access ports in this are not in the plvan domain

Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Andy White
Level 3
Level 3
In response to paul driver

‎03-20-2013 01:45 AM

Hi,

Ok I understand.  Any reason the DHCP scope doen't work on the isolated and community ports now?  I'm haven't tested it but I'm sure if I made onw of the ports a normal access port in VLAN 10 it would get an IP.

Thanks

0 Helpful

Andy White
Level 3
Level 3
In response to paul driver

‎03-21-2013 07:12 AM

Hi,

Don't suppose you have any idea why the DHCP no longer works since ports have been put into the community and isolated ports, I thought the DHCP discover broadcast would get to the switch, but maybe I should move the DHCP scope to the router as this is a promiscuous.

0 Helpful

paul driver
VIP
VIP
In response to Andy White

‎03-21-2013 07:33 AM

Andy,

Your Vlan 10 is not in the PLVAN domain so it wont communicate with any device with that domain - hence the nature of Private vlans!


The secondary ports will only communicate within its own vlan and promiscuous ports, unless you provide some l3 communication for the secondarys and add the ip range for the subnets to the primary vlan svi as stated in the previous post.

res

Paul

   

Please don't forget to rate any posts that have been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Andy White
Level 3
Level 3
In response to paul driver

‎03-21-2013 07:50 AM

As it is a L3 switch I can just create the SVI's locally for each secondary VLAN and a 2 more DHCP scopes, I guess I will have 3 DHCP scopes for the same subnet though?

0 Helpful

paul driver
VIP
VIP
In response to Andy White

‎03-21-2013 08:38 AM

Andy

Please don't forget to rate any posts that have been helpful.

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Andy White
Level 3
Level 3
In response to paul driver

‎03-21-2013 08:41 AM

Once I have fixed this DHCP issue and you have answered my last post I will

0 Helpful
Customers Also Viewed These Support Documents