cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1983
Views
0
Helpful
8
Replies

private vlan scenario

sarahr202
Level 5
Level 5

Hi everybody.

I came up with this silly question over weekend.I hope you can help me with that.

h2 is in access vlan 2. Later we feel the need for primary vlan so we use vlan 2 as primary vlan as well. F1/3 is a promiscuous port and H1 is in community vlan 3. Will h2 and host1 be able to communicate ?

Below is the config:

h1-----f1/1 SW f1/3-----Router----internet

h2-----f1/2

SW:

int f1/2

switchport access vlan 2

vlan2

private-vlan primary

private-vlan association 3

vlan 3

private-vlan community

int f1/1

switchport private-vlan host

switchport private-vlan host-association 2 3

int f1/3

switchport mode private-vlan promiscuous

switchport private-vlan mapping 2  3

thanks and have a great week.

3 Accepted Solutions

Accepted Solutions

Edison Ortiz
Hall of Fame
Hall of Fame

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

More information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/swpvlan.html

View solution in original post

As noted before, there are 3 types of ports: Promiscuous, Isolated and Community.

You mentioned the ports are neither community nor isolated, therefore by process of elimination, they are Promiscuous.

I highlighted what type of communication is expected from promiscuous ports.

View solution in original post

Sarah,

Again, per the URL I posted:

Private-VLAN Port Configuration

Follow these guidelines when configuring private-VLAN ports:

Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.

_____

The example you illustrated is not a valid private-vlan configuration port

View solution in original post

8 Replies 8

Edison Ortiz
Hall of Fame
Hall of Fame

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

More information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/swpvlan.html

Thanks Edison.

Long time no see!

What about ports which are neither community ports nor isolated ports but happen to be in same primary vlan for e.g we have vlan 2 as primary private vlan while vlan 3 is community vlan. If the ports on a switch say f1/2,f1/3 are neither community nor isolated but happen to be in vlan 2 , Will host connected to these ports able to communicate?   Will such hosts be able to communicate to hosts connected to ports in community/isolated vlan ?

Have a great week.

As noted before, there are 3 types of ports: Promiscuous, Isolated and Community.

You mentioned the ports are neither community nor isolated, therefore by process of elimination, they are Promiscuous.

I highlighted what type of communication is expected from promiscuous ports.

Thanks Edison.

I understand the role of community, isolated vlan and port in promiscuous mode.

But if the port is not promiscuous either, it is just in primary vlan for e.g

int f1/1

switchport access vlan 2

vlan 2

switchport private-vlan primary

As shown above f1/1 is simply access port assigned to vlan 2. This port is not configured as promiscuous port or community or isolated port.

Now my question is will host connected to f1/1 be able to communicate with hosts connected in community or isolated vlan?

Sarah,

Again, per the URL I posted:

Private-VLAN Port Configuration

Follow these guidelines when configuring private-VLAN ports:

Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.

_____

The example you illustrated is not a valid private-vlan configuration port

Thanks Edison.

I finally got it.

Thanks for the rating and glad to see you around once again. Take care

Hi Sarahr202,

I also have the exact same question.

Can hosts attached to switch ports (on the same switch) that are NOT part of the Private Vlan configuration communicate with ............. WHO?

Also If the uplink port is configured in promiscuous mode, will this same switchport forward and receive non Private Vlan frames?

Thanks

Frank

sarahr202 wrote:

Thanks Edison.

I understand the role of community, isolated vlan and port in promiscuous mode.

But if the port is not promiscuous either, it is just in primary vlan for e.g

int f1/1

switchport access vlan 2

vlan 2

switchport private-vlan primary

As shown above f1/1 is simply access port assigned to vlan 2. This port is not configured as promiscuous port or community or isolated port.

Now my question is will host connected to f1/1 be able to communicate with hosts connected in community or isolated vlan?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco