Home > Private VLAN

Private VLAN

September 14th, 2017 in SWITCH 300-115 Go to comments

Quick review:

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

PVLAN_Promiscuous_Community_Isolated.jpg

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.

+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.

PVLAN_Primary_VLAN_Secondary_VLAN.jpg

Configuration of PVLAN:

1. Set VTP mode to transparent
2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent mode
Switch(config)#vtp mode transparent

//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103
Switch(config-vlan)#private-vlan community

//Create primary VLAN
Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

Question 1

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 2

Explanation

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 3

Explanation

Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).

Question 4

Explanation

Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

Question 5

Explanation

The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.

Question 6

Question 7

Question 8

Comments
  1. Hamzes
    April 23rd, 2015

    thanks state farm guy for your sharing

  2. Student
    May 13th, 2015

    Is this a lab on the exam or just a diagram with the questions?

  3. Anonymous
    June 15th, 2015

    Thanks for sharing State Farm guy

  4. oofus
    July 18th, 2015

    Q1, Why is the answer not D, configure VTP version 3?

    Even the explanation says this: “VTP version 3 does support PVLAN”

  5. perplexed
    July 23rd, 2015

    Q5,
    why should I configure the gateway ON the Router as promiscuous port??
    I understand Q4, because that’s the port of the switch, but the Gateway is Layer 3.

  6. GnB
    July 23rd, 2015

    @perpelexed, it is the gateway so everyone can go through,therefore it should be promiscuous so as to allow members of the isolated and community vlans go out to the internet.

  7. perplexed
    July 23rd, 2015

    @GnB
    I understand the concept that you’re trying to explain, I’d like to see the actual config for that.
    I’ve touched many routers in production networks and I’ve never seen a Layer 3 interface configured like that.
    I found the router on the stick versions, with subinterfaces for different vlans, running trunk, but still never seen the actual need to configure the router port as promiscuous, the actual layer 3 gateway.

    I can’t find the command on any routed interface.

    The port on the switch that connects to the router will be promiscuous, but the port of the router will simply be a layer 3 port with an IP address part of that subnet.

    I’d love to hear more opinions, or some actual config example.

  8. GZR
    July 27th, 2015

    Is there a premium member quiz for this section?

  9. GZR
    July 27th, 2015

    Ah yes, just found link further down the page.

  10. aolia
    August 2nd, 2015

    VCE exam simulator v3.4.2 free download for limited time

    http://www.softwaresfiles.com/index.php/2015/07/30/cisco-vce-exam-simulatorplayer/

  11. Akarim
    November 30th, 2015

    Hallo all ,
    Can you help me with dumps image and with the labs for ccnp switch 300-115 ?
    Please send me at email akarimade@yahoo.com
    Thanks all

  12. SAM
    December 5th, 2015

    @oofus

    Q#1. i was thinking the same but nobody discussed about it

    ”Q1, Why is the answer not D, configure VTP version 3?
    Even the explanation says this: “VTP version 3 does support PVLAN”

  13. CCNPtaker @SAM & oofus
    December 13th, 2015

    @SAM & oofus

    i do believe both answers are correct. it depends on how the question is asked. but also the question asked is not clear. Let’s just assume that the switch isn’t capable of using VTP version 3. so the only solution left is to set the VTP mode to transparent

  14. Slothar
    December 16th, 2015

    Q1. The answer is C. The first step to configuring Private VLANs is to switch to VTP Transparent mode. That is right out of the Cisco Software Configuration Guide.

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swpvlan.html

  15. Anonymous
    December 28th, 2015

    Hallo all,

    Can you tell me if that dumps are nit valid ?
    Can you send me valid dumps on mail : {email not allowed}

    Thanks,

  16. wmohammad
    March 5th, 2016

    @perplexed
    I believe you are right. the router/L3 port doesn’t need to be configured as trunk, access, isolated, community, or ever promiscuous.

    but the switch/ L2 port connected to gate way devices must be promiscuous as long as we have PVALNs on that switch, I guess.

  17. Ash
    March 24th, 2016

    Is this an objective question?

    Or we need to do configuration like a sim?

  18. Papan Jaka
    March 25th, 2016

    @perplexed

    wmohammad’s comment is correct

  19. gb2
    April 15th, 2016

    @slothar, that documentation is old. VTP v3 also supports PVLans in server mode.
    “In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create private VLANs and when they are configured, you should not change the VTP mode from transparent to client or server mode. VTP version 3 also supports private VLANs in client and server modes.”

    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

  20. Gihan
    July 9th, 2016

    Hi,

    Recently, I personally passed CCNP Route 300-101,SWITCH 300-115,TSHOOT 300-135 exams with full marks.
    I have purchased latest Premium vce dumps file that are 100% valid and I’m giving at nominal sharing cost.wanninayakegcb@gmail_com

  21. Anonymous
    August 27th, 2016

    Dear all,,,
    kindly could you provide me the last upadate dumps for CCNP Route 300-101,SWITCH 300-115,TSHOOT 300-135 exams

  22. Маја
    October 5th, 2016

    Is this simulation? Or only issues fail on exam?

  23. Lewis
    October 12th, 2016

    @slothar, not sure what part of your link you read but here is a little section from your link that confirms that for switches running VTP version 3, PVLans can be configured in all modes (it isn’t compulsory to change the mode to Transparent).

    – If the switch is running VTP version 1 or 2, you must set VTP to transparent mode. After you configure a private VLAN, you should not change the VTP mode to client or server. For information about VTP, see Chapter14, “Configuring VTP” VTP version 3 supports private VLANs in all modes.
    – With VTP version 1 or 2, after you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. VTP version 3 does support private VLANs.
    – VTP version 1 and 2 do not propagate private-VLAN configuration. You must configure private VLANs on each device where you want private-VLAN ports unless the devices are running VTP version 3.

  24. hanzo
    October 30th, 2016

    Q1 I think C is right. VTP 3 isn`t available on all switches so it will be better to set transparent

  25. Baba
    November 26th, 2016

    Q3

    Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway?

    Is A really the correct answer?

    According to wikipedia this is not the case, apparently we can have more then one isolated vlan / PVLAN.

    https://en.wikipedia.org/wiki/Private_VLAN
    “There can be multiple Isolated VLANs in one Private VLAN domain”

  26. AXX
    December 20th, 2016

    Q3 – Conficting information –
    Understanding Primary, Isolated, and Community Private VLANs

    Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:

    Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.

    Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. *****You can configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
    Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.

    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html

  27. Lorry
    January 11th, 2017

    Passed my Switch Exam! 191Q is valid. I’m pretty sure information on this site is helpful but I used study materials from this ebay seller I came across on my CCNA/CCNP Route cert prep journey. He tends to have the latest updates for all the exams he provides. He seems to not have the TShoot Cert Prep but will see if he has that lol. Onto completing my CCNP Certification!

    Information to the exam:

    37 Multiple Choice Questions
    OSPF TShoot Simlet
    LACP-STP Simulation
    AAAdot1x Simulation

    If you would like to use the study materials I used, here is the ebay link:

    http://www.ebay.com/itm/-/322387258834?

    Cheers and Good Luck!

  28. Anonymous
    April 29th, 2017

    @perplexed

    I believe you are right regarding configuring a router port as promiscuous. Maybe the question wasn’t formulated correctly. Anyone who understands about layer 2 and layer 3 switching and routing will know that only a port that is attached to the switch that supports private-vlans will be configured as “promiscuous,” therefore, if a router, for instance, is attached on the other side of that link, will behave as a normal routing port, and will be configured with an Ip address, so the devices within the vlans can get out from the primary vlan. Think about “multilayer-switch.” You might want to create a virtual interface. In this case you have to map the secondary vlans on that interface.

  29. mikeSWE
    July 19th, 2017

    Are all the answers here confirmed to be correct?

  30. a
    September 12th, 2017

    @certprepare

    The premium member link is not working for private-vlan.

    Plz fix this issue……

  31. CCNP Bound
    October 5th, 2017

    You must configure Transparent mode in VTP 2. The question states that you are using vtp 2, and what must be done before you configure vtp 3.

  1. No trackbacks yet.