cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1910
Views
0
Helpful
3
Replies

Private VLANs

marshallqqqq
Level 1
Level 1

Hello,

I hope i post this on the right place but i have some issues with understanding private vlans.

In my network i have a 3560 connected to a 2950 and soon a 2960.

3560 Configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
!
vlan 10
  private-vlan primary
  private-vlan association 50
!
vlan 50
  private-vlan isolated
!
vlan 100
 name DMZ2
interface GigabitEthernet0/1
 switchport private-vlan host-association 10 50
 switchport mode private-vlan host
! UP AND UNTIL
interface GigabitEthernet0/14
 switchport private-vlan host-association 10 50
 switchport mode private-vlan host
!
interface GigabitEthernet0/15
 switchport private-vlan mapping 10 50
 switchport mode private-vlan promiscuous
 speed 1000
 duplex full
!
interface GigabitEthernet0/16
 switchport private-vlan mapping 10 50
 switchport mode private-vlan promiscuous
 speed 1000
 duplex full
!
interface GigabitEthernet0/21
 description VLAN100
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
!
interface GigabitEthernet0/22
 description VLAN100
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
!
interface GigabitEthernet0/23
 description VLAN100
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
!
interface GigabitEthernet0/24
 description VLAN100
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 speed 1000
 duplex full
!
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 10.0.10.240 255.255.255.0
!
ip default-gateway 10.0.10.241
!

Now with the upcoming addition of a 2960 i wonder the following: should i make a trunk for this or can i just do something like this:

3560:
code:

1
2
3
4
5
!
interface GigabitEthernet0/20
 switchport private-vlan host-association 10 50
 switchport mode private-vlan host
!

2960:

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
!
vlan 50
  private-vlan primary
  private-vlan association 61
!
vlan 61
  private-vlan isolated
!
interface GigabitEthernet0/16 UPLINK PORT
 switchport private-vlan mapping 50 61
 switchport mode private-vlan promiscuous
!
interface GigabitEthernet0/1 ACCESS PORTS
 switchport private-vlan host-association 50 61
 switchport mode private-vlan host
!

The above configuration would suggest i make the 3560 port to the 2960 a isolated private vlan. Then at the 2960 side i add a promiscuous port with as primary vlan 50 which is the isolated vlan of the 3560. Then to make all the ports on the 2960 private i make a new isolated vlan 61.

My idea is like this traffic from the 2960 goes from isolated vlan 61 (on 2960) > primary 50 > isolated 50 (on 3560 now) > primary 10. Can someone tell me if it works like this?

The already configured 2950 i cannot access but the 3560 port configured for the link to it is a isolated port (giga0/5). It also gives a native vlan mismatch (which i think could be solved by changing the native vlan on the 2950). So i cannot use the 2950 as an example cause i cannot access it. Though i believe it's just a default configuration (aka password an not much else).

Hopefully it's a bit clear in what i'm asking.

Thanks in advance,

Ralph

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Ralph,

Neither 2950 nor 2960 series switches actually support Private VLANs. If they supported the Private VLANs then you would interconnect them with a completely usual, ordinary trunk port. As each switch would be configured with an identical VLAN database (primary and secondary VLANs and their types), each switch would correctly handle the frames. Unfortunately, things are not going to be that easy without the PVLAN support on 2950/2960.

Also, the manipulation of the VLAN IDs as you suggested (61->50->50->10) is not correct for Private VLANs. The secondary VLAN ID is maintained throughout the entire switched domain and always remains the same - it gets set when a frame first enters a private-vlan host port and stays that way. The primary VLAN ID is used only when a frame came through the promiscuous port so that all switches know that this particular frame is to be delivered to every port in each associated secondary VLANs.

The problem now is that you cannot maintain the isolation of the secondary VLANs on the 2950/2960 switches. Essentially, these VLANs can be extended to the 2950/2960 switches but on them, they will lose all their private VLAN capabilities and features and become ordinary VLANs.

If all you need is to extend an isolated VLAN then I suggest the following:

  1. On 3560, make the port towards the 2950/2960 a private-vlan host port in an isolated VLAN
  2. On 2950/2960, make the port towards the 3560 to be an access port in the appropriate VLAN
  3. On 2950/2960, furthermore, configure all remaining ports as access ports and in addition, use the command switchport protected on all of them to prevent one such port from communicating with another. Do not use this command on the uplink towards the 3560

This way, you can extend an isolated VLAN to a switch that does not support isolated VLANs. Similarily, you can extend a single (not multiple) community VLAN onto 2950/2960, the only difference would be in not using the switchport protected command on the 2950/2960. However, you cannot extend multiple community VLANs onto 2950/2960 switch because it will not be capable of handling them properly (it has no concept of primary VLAN and if a frame came in marked with primary VLAN ID, the switch would not replicate it on all ports in secondary VLANs as it is supposed to do).

This might be a bit confusing. I have had my own share of misunderstanding the PVLAN feature Feel free to ask further!

Best regards,

Peter

View solution in original post

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hello Ralph,

Neither 2950 nor 2960 series switches actually support Private VLANs. If they supported the Private VLANs then you would interconnect them with a completely usual, ordinary trunk port. As each switch would be configured with an identical VLAN database (primary and secondary VLANs and their types), each switch would correctly handle the frames. Unfortunately, things are not going to be that easy without the PVLAN support on 2950/2960.

Also, the manipulation of the VLAN IDs as you suggested (61->50->50->10) is not correct for Private VLANs. The secondary VLAN ID is maintained throughout the entire switched domain and always remains the same - it gets set when a frame first enters a private-vlan host port and stays that way. The primary VLAN ID is used only when a frame came through the promiscuous port so that all switches know that this particular frame is to be delivered to every port in each associated secondary VLANs.

The problem now is that you cannot maintain the isolation of the secondary VLANs on the 2950/2960 switches. Essentially, these VLANs can be extended to the 2950/2960 switches but on them, they will lose all their private VLAN capabilities and features and become ordinary VLANs.

If all you need is to extend an isolated VLAN then I suggest the following:

  1. On 3560, make the port towards the 2950/2960 a private-vlan host port in an isolated VLAN
  2. On 2950/2960, make the port towards the 3560 to be an access port in the appropriate VLAN
  3. On 2950/2960, furthermore, configure all remaining ports as access ports and in addition, use the command switchport protected on all of them to prevent one such port from communicating with another. Do not use this command on the uplink towards the 3560

This way, you can extend an isolated VLAN to a switch that does not support isolated VLANs. Similarily, you can extend a single (not multiple) community VLAN onto 2950/2960, the only difference would be in not using the switchport protected command on the 2950/2960. However, you cannot extend multiple community VLANs onto 2950/2960 switch because it will not be capable of handling them properly (it has no concept of primary VLAN and if a frame came in marked with primary VLAN ID, the switch would not replicate it on all ports in secondary VLANs as it is supposed to do).

This might be a bit confusing. I have had my own share of misunderstanding the PVLAN feature Feel free to ask further!

Best regards,

Peter

Thanks allot Peter, you basically told me everything i wanted to know. Glad i posted my question here.

Ralph,

Thank you very much. You will always be heartily welcome here on NetPro

Best regards,

Peter

Review Cisco Networking for a $25 gift card