Solved: Private VLAN Configuration Question

Craddockc · ‎04-08-2013

Hello Community,

In my CCNP studies I am learning about Private VLAN's. Toward the end of the discussion there are direction on how to configure the Private VLANs, and although most of it seems pretty straight forward I am very confused on one part of the configuration, most specically with the relationship between step 4 and step 6. The book I am using is called CCNP SWITCH Simplified by authors Browning and Tafa. It is a very good book so far with few errors. I will do my best to type out the configs the book is giving as an example so please bear with me:

Step 1) Create the Primary Private Vlan

(config)# vlan 111

(config-vlan)# name "primary-private-vlan" No problems here

(config-vlan)#private vlan primary

(config-vlan)#exit

Step 2) Associate the secondary vlans (that are not yet created?) to the primary private vlan

(config)# vlan 111

(config-vlan)# private-vlan association 222,333 Can you associate secondary vlans that arent yet created?

(config-vlan)# exit

Step 3) Configure the secondary Vlans

(config)# vlan 222

(config-vlan)#name 'Community'

(config-vlan)#private-vlan community Wouldn't it be better to create these first and then associate? Swap step 2 and 3?

(config-vlan)# exit

(config)# vlan 333

(config-vlan)# name 'Isolated'

(config-vlan)#private-vlan isolated

(config-vlan)# exit

Step 4) Map the secondary vlans to the SVI of the primary private vlan Here is where I run into trouble.

(config)# int vlan 111

(config-if)# ip address x.x.x.x x.x.x.x

(config-if)#Private vlan mapping add 222,333 What is the point of this? How does it differ from step 6?

(config-if)# exit

Step 5) Configure the L2 interfaces as isoltaed or community and associate them

(config)# int fa0/2

(config-if)# switchport mode private-vlan host

(config-if)# switchport private-vlan host-association 111 222

(config-if)#int fa0/3 No issues here

(config-if)# switchport mode private-vlan host

(config-if)# switchport private-vlan host-association 111 333

Step 6) Configure a L2 interface as Promiscuous and map the vlans to it Here is where it gets sticky again.

(config)# int fa0/1

(config-if)# switchport mode private-vlan promiscuous What is the relationship between this step and step 4?

(config-if)#switchport private-vlan mapping 111 222 333

I apologize for such a long winded question, but any clarification on these steps would be much appreciated. Thanks.

Chris.

InayathUlla Sharieff · ‎04-08-2013

Hi Crad,

Let me see if I can help you here:

Step 2) Associate the secondary vlans (that are not yet created?) to the primary private vlan

(config)# vlan 111

(config-vlan)# private-vlan association 222,333 Can you associate secondary vlans that arent yet created?

(config-vlan)# exit

For host ports in secondary VLANs to communicate outside the private VLAN, you associate secondary VLANs to the primary VLAN. If the association is not operational, the host ports (community and isolated ports) in the secondary VLAN are brought down.

Note You can associate a secondary VLAN with only one primary VLAN.

For an association to be operational, the following conditions must be met:

•The primary VLAN must exist and be configured as a primary VLAN.

•The secondary VLAN must exist and be configured as either an isolated or community VLAN.

EG:

Yes you are correct first you need to have those vlans. but never mind once you map the association and exit the vlans would get automatically created but not the feasible one.

Eg:

C6K1(config)#vlan 111

-C6K1(config-vlan)#pri

-C6K1(config-vlan)#private-vlan ass

-C6K1(config-vlan)#private-vlan association 222

-C6K1(config-vlan)#exit

% Applying VLAN changes may take few minutes. Please wait.

Associating Primary and Secondary VLANs

Step 3 yes I agree with you.

Step 4) Map the secondary vlans to the SVI of the primary private vlan Here is where I run into trouble.

(config)# int vlan 111

(config-if)# ip address x.x.x.x x.x.x.x

(config-if)#Private vlan mapping add 222,333 What is the point of this? How does it differ from step 6?

(config-if)# exit

Answer: You need to associate secondary vlans to the primary one to have a broad picture of what secondary vlans are there in the network.

Primary and Secondary VLANs in Private VLANs

A private VLAN domain has only one primary VLAN. Each port in a private VLAN domain is a member of the primary VLAN; the primary VLAN is the entire private VLAN domain.

Secondary VLANs provide isolation between ports within the same private VLAN domain. The following two types are secondary VLANs within a primary VLAN:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate directly with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.

Setp6: This is the promiscous port configuration as you know that Promiscous port will talk to all the ports of private vlan(Secondary-isolated/community).

Not sure how much I have helped you here.

Please go through the following link below which explains you about the private vlan and let me know if you rquired any further help:

http://packetlife.net/blog/2010/aug/30/basic-private-vlan-configuration/

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html

HTH

REgards

Inayath

View solution in original post

InayathUlla Sharieff · ‎04-09-2013

Hi,

Let me try to explain you here:

I have two switches connected between each other and have the following connection as attached in the diagram.

SW1----Trunk----Sw2

1st step as you know that we have device the VLans.

Sw1(config)# vtp mode transparent.

Vlan10 is primary , vlan 30&40 are community , and vlan 40 isolated.

Sw1(config)#vlan 10

Sw1(config-vlan)#private-vlan primary

Sw1(config-vlan)#vlan 20

Sw1(config-vlan)#private-vlan community

Sw1(config-vlan)#vlan 30

Sw1(config-vlan)#private-vlan community

Sw1(config-vlan)#vlan 40

Sw1(config-vlan)#private-vlan isolated

2-

Now under vlan 10 we need to associate sub-vlans to it to make switch aware of private vlans.

Sw1(config-vlan)#vlan 10

Sw1(config-vlan)#private-vlan association 20,30,40

Vlan configuration is completed.

3-Now comes the configuration of Ports(Promiscous port, community port and Isolated.)

int f0/1

swithport mode private-vlan promiscous <<

switchport private-vlan mapping 10 20,30,40 ( This means that primary vlan is 10 and we are associating other sub vlans to the port so that this port can talk to all the other vlans.)

{

NOTE: You use command association under vlan for associating the sub/secondary vlans to primary vlan. And the command mapping is used under the promiscous ports to make the promiscous port to be aware of all the sub vlans of private vlan to which it can be communicated or vice versa.'

}

int f0/2

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 20 ( Were 10 is primary vlan and 20 is the community vlan)

int f0/3

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 30 ( Were 10 is primary vlan and 30 is the community vlan)

int f0/4

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 40 ( Were 10 is primary vlan and 40 is the Isolated vlan)

Result:

=====

F0/1 connected device should be able to reach all the vlans.

Vlan 20 & Vlan 30 should be able to communicate between promiscous port and the same community vlan at the other side.

Vlan 40 will only be able to communicate with promiscous port and not to any other vlans.

HTH

Regards

Inayath

*Plz rate all usefull posts.

View solution in original post

InayathUlla Sharieff · ‎04-08-2013

Hi Crad,

Let me see if I can help you here:

Step 2) Associate the secondary vlans (that are not yet created?) to the primary private vlan

(config)# vlan 111

(config-vlan)# private-vlan association 222,333 Can you associate secondary vlans that arent yet created?

(config-vlan)# exit

For host ports in secondary VLANs to communicate outside the private VLAN, you associate secondary VLANs to the primary VLAN. If the association is not operational, the host ports (community and isolated ports) in the secondary VLAN are brought down.

Note You can associate a secondary VLAN with only one primary VLAN.

For an association to be operational, the following conditions must be met:

•The primary VLAN must exist and be configured as a primary VLAN.

•The secondary VLAN must exist and be configured as either an isolated or community VLAN.

EG:

Yes you are correct first you need to have those vlans. but never mind once you map the association and exit the vlans would get automatically created but not the feasible one.

Eg:

C6K1(config)#vlan 111

-C6K1(config-vlan)#pri

-C6K1(config-vlan)#private-vlan ass

-C6K1(config-vlan)#private-vlan association 222

-C6K1(config-vlan)#exit

% Applying VLAN changes may take few minutes. Please wait.

Associating Primary and Secondary VLANs

Step 3 yes I agree with you.

Step 4) Map the secondary vlans to the SVI of the primary private vlan Here is where I run into trouble.

(config)# int vlan 111

(config-if)# ip address x.x.x.x x.x.x.x

(config-if)#Private vlan mapping add 222,333 What is the point of this? How does it differ from step 6?

(config-if)# exit

Answer: You need to associate secondary vlans to the primary one to have a broad picture of what secondary vlans are there in the network.

Primary and Secondary VLANs in Private VLANs

A private VLAN domain has only one primary VLAN. Each port in a private VLAN domain is a member of the primary VLAN; the primary VLAN is the entire private VLAN domain.

Secondary VLANs provide isolation between ports within the same private VLAN domain. The following two types are secondary VLANs within a primary VLAN:

•Isolated VLANs—Ports within an isolated VLAN cannot communicate directly with each other at the Layer 2 level.

•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.

Setp6: This is the promiscous port configuration as you know that Promiscous port will talk to all the ports of private vlan(Secondary-isolated/community).

Not sure how much I have helped you here.

Please go through the following link below which explains you about the private vlan and let me know if you rquired any further help:

http://packetlife.net/blog/2010/aug/30/basic-private-vlan-configuration/

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html

HTH

REgards

Inayath

Craddockc · ‎04-09-2013

Inayath,

Thank you very much for you detailed reply. It was very informative. One more question if I may: What is the difference between "associating" the secondary vlans to the private primary vlan in step 2 and "mapping" the secondary vlans to the primary private vlan in step 4 and 6? I am trying to understand exactly whats going on.

Im assuming that when you "associate" a secondary vlan to the primary it is basically encompassing that secondary vlan as part of that primary vlans domain?

Thanks.

Chris.

InayathUlla Sharieff · ‎04-09-2013

Hi,

Let me try to explain you here:

I have two switches connected between each other and have the following connection as attached in the diagram.

SW1----Trunk----Sw2

1st step as you know that we have device the VLans.

Sw1(config)# vtp mode transparent.

Vlan10 is primary , vlan 30&40 are community , and vlan 40 isolated.

Sw1(config)#vlan 10

Sw1(config-vlan)#private-vlan primary

Sw1(config-vlan)#vlan 20

Sw1(config-vlan)#private-vlan community

Sw1(config-vlan)#vlan 30

Sw1(config-vlan)#private-vlan community

Sw1(config-vlan)#vlan 40

Sw1(config-vlan)#private-vlan isolated

2-

Now under vlan 10 we need to associate sub-vlans to it to make switch aware of private vlans.

Sw1(config-vlan)#vlan 10

Sw1(config-vlan)#private-vlan association 20,30,40

Vlan configuration is completed.

3-Now comes the configuration of Ports(Promiscous port, community port and Isolated.)

int f0/1

swithport mode private-vlan promiscous <<

switchport private-vlan mapping 10 20,30,40 ( This means that primary vlan is 10 and we are associating other sub vlans to the port so that this port can talk to all the other vlans.)

{

NOTE: You use command association under vlan for associating the sub/secondary vlans to primary vlan. And the command mapping is used under the promiscous ports to make the promiscous port to be aware of all the sub vlans of private vlan to which it can be communicated or vice versa.'

}

int f0/2

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 20 ( Were 10 is primary vlan and 20 is the community vlan)

int f0/3

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 30 ( Were 10 is primary vlan and 30 is the community vlan)

int f0/4

switchport mode private-vlan host ---This is the one end host

switchport private-vlan host-association 10 40 ( Were 10 is primary vlan and 40 is the Isolated vlan)

Result:

=====

F0/1 connected device should be able to reach all the vlans.

Vlan 20 & Vlan 30 should be able to communicate between promiscous port and the same community vlan at the other side.

Vlan 40 will only be able to communicate with promiscous port and not to any other vlans.

HTH

Regards

Inayath

*Plz rate all usefull posts.

Craddockc · ‎04-10-2013

Inayath,

WOW! Thank you so very much for your detailed explanation! I so very much appreciate you taking the time to really explain this to me. I totally comprehend this now. Thank you!

Chris.

Craddockc · ‎05-30-2013

Inayath,

I am sorry to revisit this so much later, but I was reviewing and did have a question regarding step 4 below:

Step 4) Map the secondary vlans to the SVI of the primary private vlan:

(config)# int vlan 111

(config-if)# ip address x.x.x.x x.x.x.x

(config-if)#Private vlan mapping add 222,333

(config-if)# exit

Does this series of commands allow the secondary vlans 222 and 333 to share the same address space as the primary PVLAN while still residing on different secondary vlans? generally one would want a separate subnet for each vlan, but this could be different. Since all sub vlans are part of a broader single private vlan I can only see one virtual routed interface for all of these vlans.

Thanks.