There are 3 types of VLANs involve when we configure PVLANs..
1) Primary VLANs
2) Isolated VLANs
3) Community VLANs
Primary VLAN is the normal VLAN we create. It is the parent broadcast domain which we partition later using the Isolated & Community VLANs which are called Secondary / Sub VLANs..
There are 3 types of ports involve regarding the VLAN type we assign..
1) Promiscuous ports - Primary VLAN is assigned
2) Isolated ports - Isolated VLANs are assigned
3) Community ports - Community VLANs are assigned
The concept is simple;
The Promiscuous port can communicate with any other port (Isolated, Community)..
An Isolated port can only communicate with the Promiscuous port, They cannot communicate with other Isolated ports of the same Isolated VLAN either.
The Community ports can communicate with the Promiscuous port & the other Community ports which are in the same Community VLAN only..
Let's see the configuration..
Primary VLAN (100)
Isolated VLAN (200)
Community VLANs
- Community-A (VLAN 300)
- Community-B (VLAN 400)
Note:- VTPv1 & VTPv2 modes should be changed to transparent to support PVLANs as they do not support PVLAN configurations. Only VTPv3 will be supported..
Also note that every Cisco switch will not support PVLANs..
Configuration of the Community VLANs
SW(config)#vlan 400
SW(config-vlan)#private-vlan community
SW(config)#vlan 300
SW(config-vlan)#private-vlan community
Configuration of the Isolated VLANs
SW(config)#vlan 200
SW(config-vlan)#private-vlan isolated
Configuration of the Primary VLAN
SW(config)#vlan 100
SW(config-vlan)#private-vlan primary
SW(config-vlan)#private-vlan association 200,300,400
Configuration of the Promiscuous port
SW(config)#int e0/0
SW(config-if)#switchport mode private-vlan promiscuous
SW(config-if)#switchport private-vlan mapping 100 200,300,400
Configuration of the Isolated ports
SW(config)#int range e0/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 200
Configuration of the Community-A ports
SW(config)#int range e1/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 300
Configuration of the Community-B ports
SW(config)#int range e2/1-2
SW(config-if)#switchport mode private-vlan host
SW(config-if)#switchport private-vlan host-association 100 400
Show Commands to verify the PVLAN configurations..
SW#show vlan private-vlan
SW#show int e0/0 switchport
Now you can test the connectivity after assigning IP address to the PCs in the same range..
Note:-
The Default Gateway (a router) should be always connected to the Promiscuous port which all the PCs can reach. If a router is connected to that interface, Hair-Pinning routing can occur which will bend the rules of PVLANs.Which means that all the PCs will communicate with each other through the default gateway router like in router on stick in inter VLAN routing..
You can stop this by putting an ACL in the router interface to block traffic from the same subnet to the same subnet..
No comments:
Post a Comment