cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
3
Helpful
7
Replies

Private VLANs promiscuous port tagging

riad1990new
Level 1
Level 1

Hello Cisco community,

I'm trying to understand how tagging works with a promiscuous port in a private VLAN. what I'm trying to understand is how traffic for a (regular) promiscuous port is treated/tagged, not "promiscuous trunk ports".

To my understanding, regular promiscuous ports are typically connected to a layer three device, such as a router, which I think means that these frames should not be tagged with any primary or secondary VLAN tags, is that correct?  if that's the case, then how does the switch map incoming/downstream frames from the router to the correct secondary VLAN (isolated or community) ports?

2 Accepted Solutions

Accepted Solutions

@riad1990new 

In the context PVLANm setup with a promiscuous port connected to a L3 device, the frames leaving the L3 device throuh the promiscuous port are typically untagged. The switch uses the primary VLAN associated with the promiscuous port to determine the destination VLAN within the PVLAN.

The switch maintains a mapping between the primary VLAN and the corresponding secondary VLANs (community and isolated VLANs). Even though the frames from the router are untagged, the switch uses the knowledge of the primary VLAN to forward the frames to the correct secondary VLANs based on the configured mapping.

In essence, the switch leverages the association between the primary VLAN and secondary VLANs to determine where to forward the untagged frames received from the promiscuous port.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Thanks for confirming. So, I guess the switch will simply use the destination MAC address to determine which isolated/community ports to forward the incoming frames from a router.

View solution in original post

7 Replies 7

M02@rt37
VIP
VIP

Hello @riad1990new 

In a PVLAN setup, a regular promiscuous port is usually connected to a L3 device. Frames leaving this port are typically untagged because the L3 device doesn't use VLAN tags. The switch relies on the primary VLAN associated with the promiscuous port.

When the switch receives frames from the router on the promiscuous port, it uses the primary VLAN tag to determine the destination VLAN within the PVLAN. The switch then forwards the frame to the appropriate secondary VLAN based on the mapping configured for the primary VLAN.

This mapping determines which secondary VLANs are allowed to communicate with each other through the promiscuous port.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Thank you, but I'm not sure I understand, you said "L3 devices don't use VLAN tags", and you said "When the switch receives frames from the router on the promiscuous port, it uses the primary VLAN tag to determine the destination VLAN within the PVLAN."

How does it use the primary VLAN tag to determine to which community or isolated port to forward frames to if traffic is untagged over that link to the layer 3 device?

Thanks,

Riad.

@riad1990new 

In the context PVLANm setup with a promiscuous port connected to a L3 device, the frames leaving the L3 device throuh the promiscuous port are typically untagged. The switch uses the primary VLAN associated with the promiscuous port to determine the destination VLAN within the PVLAN.

The switch maintains a mapping between the primary VLAN and the corresponding secondary VLANs (community and isolated VLANs). Even though the frames from the router are untagged, the switch uses the knowledge of the primary VLAN to forward the frames to the correct secondary VLANs based on the configured mapping.

In essence, the switch leverages the association between the primary VLAN and secondary VLANs to determine where to forward the untagged frames received from the promiscuous port.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Thanks for confirming. So, I guess the switch will simply use the destination MAC address to determine which isolated/community ports to forward the incoming frames from a router.

Hello
PVLANs provide a way of segregating devices within a subnet,
Ports that are designated as promiscuous are mapped to all vlans(primary/community/isolated) in a PVLAN, with all other ports being associated to community or isolated vlan and the primary vlan

Thus allowing Promiscuous port(s) being able to speak to all other hosts (community/isolated) plus any other promiscuous hosts and none Pvlan hosts.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

riad1990new
Level 1
Level 1

Thanks Paul, I'm familiar with these statements, but my question is how?

If the promiscuous port is connected to router, then traffic is most likely untagged, but then how would the switch differentiate between the incoming traffic of different secondary VLANs (community and isolated)?

If the promiscuous port is connected to a router over a trunk link, where 802.1q tags are utilized, then the switch shouldn't have a problem distinguishing between each secondary VLAN's traffic.

That's what I'm trying to find out? and I don't have access to a lab where I can test this.

Thanks,
Riad.

Hello
TBH the router doesn’t care what switchport its connected to (tagged/untagged) -  it’s the switch at a layer 2 level decides how the frame is switched based on the L2 header ((tagged/untagged) and with PVLAN the promiscuous port is tagged with the primary vlan whatever that maybe.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card