Private Vlans- sw access vlan

tsmarcyes · ‎06-16-2011

When configuring a host port with private vlans, you specify it as a private vlan host port and then you do the association. However, my question is there any changes on the actions of the ports if you configure the access vlan (switch access vlan x). When doing a "show int x/x switchport", it shows the access vlan as either isolated or community, however the associate seems to be the real determinign factor to how communication is achieved.

For instance, lets vlan 10 is my primary, 11 my commun, 12 my isolated. If I do sw mode private-vlan host, sw private-vlan assoc 10 11 on both of my ports, YET configure "sw access vlan 12" on the port, i get the below. My two devices communicate which im assuming is because of the private vlan association. All is working well. However, does configuring the access vlan and does the line below access mode vlan"12 (isolated) mean anything?

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 12 (isolated)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 10 (VLAN00010) 11 (VLAN00011)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative Mode: private-vlan host

Operational Mode: private-vlan host

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 12 (isolated)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: 10 (VLAN00010) 11 (VLAN00011)

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Peter Paluch · ‎06-19-2011

Hello,

It has often been confusing that the switchports on Catalyst switches may at the same time be configured with a bunch of commands related to trunking, to access mode, even to private VLANs.

The key point to remember here is that while there can be commands for different operation modes present in the configuration of a single interface, only those commands are in effect that apply to the current operating mode. Take, for example, the following configuration:

interface FastEthernet 0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 50

switchport trunk allowed vlan 1-100

switchport access vlan 40

switchport private-vlan host-association host 70 80

switchport private-vlan mapping 70 90

The question now is: what commands apply and which don't?

The answer is really very simple: it all depends on the switchport mode command:

If the switchport mode trunk is added, then only the switchport trunk ... commands are in effect. All other are ignored.
If the switchport mode access is added, then only the switchport access ... commands are in effect. All other are ignored.
If the switchport mode private-vlan host is added, then only the switchport private-vlan host-association ... commands are in effect. All other are ignored.
If the switchport mode private-vlan promiscuous is added, then only the switchport private-vlan mapping ... commands are in effect. All other are ignored.

To sum it up - if there is a command of the form switchport mode XXX present on the switchport then only the commands switchport XXX ... are in effect (XXX being "access", "trunk", "private-vlan").

Thus, the configurations do not add up or mix. They are simply present, waiting to "jump" into action depending on the current operation mode of the interface.

Best regards,

Peter