08-06-2012 07:11 AM - edited 03-07-2019 08:10 AM
Hi everybody.
I came up with this silly question over weekend.I hope you can help me with that.
h2 is in access vlan 2. Later we feel the need for primary vlan so we use vlan 2 as primary vlan as well. F1/3 is a promiscuous port and H1 is in community vlan 3. Will h2 and host1 be able to communicate ?
Below is the config:
h1-----f1/1 SW f1/3-----Router----internet
h2-----f1/2
SW:
int f1/2
switchport access vlan 2
vlan2
private-vlan primary
private-vlan association 3
vlan 3
private-vlan community
int f1/1
switchport private-vlan host
switchport private-vlan host-association 2 3
int f1/3
switchport mode private-vlan promiscuous
switchport private-vlan mapping 2 3
thanks and have a great week.
Solved! Go to Solution.
08-06-2012 07:22 AM
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.
More information:
08-06-2012 10:49 AM
As noted before, there are 3 types of ports: Promiscuous, Isolated and Community.
You mentioned the ports are neither community nor isolated, therefore by process of elimination, they are Promiscuous.
I highlighted what type of communication is expected from promiscuous ports.
08-06-2012 01:22 PM
Sarah,
Again, per the URL I posted:
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
•Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
_____
The example you illustrated is not a valid private-vlan configuration port
08-06-2012 07:22 AM
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:
•Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.
More information:
08-06-2012 09:46 AM
Thanks Edison.
Long time no see!
What about ports which are neither community ports nor isolated ports but happen to be in same primary vlan for e.g we have vlan 2 as primary private vlan while vlan 3 is community vlan. If the ports on a switch say f1/2,f1/3 are neither community nor isolated but happen to be in vlan 2 , Will host connected to these ports able to communicate? Will such hosts be able to communicate to hosts connected to ports in community/isolated vlan ?
Have a great week.
08-06-2012 10:49 AM
As noted before, there are 3 types of ports: Promiscuous, Isolated and Community.
You mentioned the ports are neither community nor isolated, therefore by process of elimination, they are Promiscuous.
I highlighted what type of communication is expected from promiscuous ports.
08-06-2012 12:24 PM
Thanks Edison.
I understand the role of community, isolated vlan and port in promiscuous mode.
But if the port is not promiscuous either, it is just in primary vlan for e.g
int f1/1
switchport access vlan 2
vlan 2
switchport private-vlan primary
As shown above f1/1 is simply access port assigned to vlan 2. This port is not configured as promiscuous port or community or isolated port.
Now my question is will host connected to f1/1 be able to communicate with hosts connected in community or isolated vlan?
08-06-2012 01:22 PM
Sarah,
Again, per the URL I posted:
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
•Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
_____
The example you illustrated is not a valid private-vlan configuration port
08-06-2012 03:57 PM
Thanks Edison.
I finally got it.
08-07-2012 06:45 AM
Thanks for the rating and glad to see you around once again. Take care
12-11-2012 10:32 AM
Hi Sarahr202,
I also have the exact same question.
Can hosts attached to switch ports (on the same switch) that are NOT part of the Private Vlan configuration communicate with ............. WHO?
Also If the uplink port is configured in promiscuous mode, will this same switchport forward and receive non Private Vlan frames?
Thanks
Frank
sarahr202 wrote:
Thanks Edison.
I understand the role of community, isolated vlan and port in promiscuous mode.
But if the port is not promiscuous either, it is just in primary vlan for e.g
int f1/1
switchport access vlan 2
vlan 2
switchport private-vlan primary
As shown above f1/1 is simply access port assigned to vlan 2. This port is not configured as promiscuous port or community or isolated port.
Now my question is will host connected to f1/1 be able to communicate with hosts connected in community or isolated vlan?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide