cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
910
Views
0
Helpful
2
Replies

Private VLANs: Isolated VLAN Reuse/Multi-use, is it doable & advisable?

dmarekatc
Level 1
Level 1

Two part question regarding Private Vlanning, of which I could probably find out much of this in the lab on my own but thought I'd seek input here first from those of you with greater familiarity on the topic.

If you have a single isolated private-vlan defined, can you elect to associate it with multiple primary vlans? e.g. Rather than having to create an isolated (secondary) vlan per primary vlan; thus doubling the number of vlans defined overall, all of which are carrying out the exact same function - preventing L2 traffic between any other isolated port; can that single isolated vlan be "reused" / associated to each primary?

The use case as an example would be a 6500 and X number of (primary) vlans, all of which have a SVI in the 6500 as well or may have a separate L3 device off of the 6500 handling the routing.  Obviously if X is very large, it'd be nice to have to only create one additional vlan for isolation purposes, used in all the (primary) vlan segments throughout the switch(es).

Now, pending the answer on the first part - If that can be done, is that the advisable route to go / is it in-fact the intended design?  Are there any caveats or benefits to be aware of?  e.g. A single isolated vlan for all primary vlans (X+1), versus an isolated vlan per primary vlan (X*2).  One area that comes to mind would be the interaction of L3 devices that are also doing dot1Q trunking and may or may not understand private vlanning.  I suppose conversely if you did do a one-for-one, isolated-to-primary, what is that impact (beyond the number of vlans needed)?

Any applicable thoughts, comments, or insight is appreciated - Thank you.

(As I finish writing the above, I suppose the same could be asked of community vlans - Could those also be pinned to multiple primary vlans, etc.?)

2 Replies 2

joan.pijpker
Level 1
Level 1

Hi Dmarekatc,

As far as I know you can only connect one isolated vlan to one primary vlan and vice versa. So yes, you are in fact doubling the number of vlans you have.

Regards, Joan.

Thanks for the reply Joan!

I too am familiar with a primary vlan being able to have only a single isolated vlan assigned to it; I just didn't see anything specific that said that same isolated vlan couldn't be applied to other primaries at the same time as well (the vice-versa if you will).

Do you have a document link where you found that information explicitly noted, or did you just already attempt to do this?

I'm hoping that's not really the case, since the doubling aspect would really impact the number of active vlans that could be created.  While the available numbers may go from 2-4096 (with a few numbers excluded) on most switches, typically the number of active vlans possible in a given switch at any one time is much less, especially in access-layer class switches.  (Unless somehow secondary vlans don't count towards that limit? Which would seem doubtful.)

Regards,

-Marek

Review Cisco Networking for a $25 gift card