Private VLAN
Quick review:
The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”.
There are three types of ports in PVLAN:
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
For example, in the topology above:
+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other.
+ Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community.
+ All hosts can go outside through promiscuous port.
Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.
Configuration of PVLAN:
1. Set VTP mode to transparent
2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.
Sample configuration used the topology above:
//First set VTP to transparent mode
Switch(config)#vtp mode transparent
//Create secondary VLANs
Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103
Switch(config-vlan)#private-vlan community
//Create primary VLAN
Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary
//Associate secondary (isolated, community) VLANs to the primary VLAN
Switch(config-vlan)#private-vlan association 101,102,103
//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN.
Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102,103
//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102
Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 103
To check the configuration, use this command:
Switch# show vlan private-vlan
Question 1
Explanation
Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.
Question 2
Explanation
There are three types of ports in PVLAN:
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
Question 3
Explanation
Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).
Question 4
Explanation
Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
Question 5
Explanation
The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.
Question 6
Question 7
Question 8
Question 9
thanks state farm guy for your sharing
Is this a lab on the exam or just a diagram with the questions?
Thanks for sharing State Farm guy
Q1, Why is the answer not D, configure VTP version 3?
Even the explanation says this: “VTP version 3 does support PVLAN”
Q5,
why should I configure the gateway ON the Router as promiscuous port??
I understand Q4, because that’s the port of the switch, but the Gateway is Layer 3.
@perpelexed, it is the gateway so everyone can go through,therefore it should be promiscuous so as to allow members of the isolated and community vlans go out to the internet.
@GnB
I understand the concept that you’re trying to explain, I’d like to see the actual config for that.
I’ve touched many routers in production networks and I’ve never seen a Layer 3 interface configured like that.
I found the router on the stick versions, with subinterfaces for different vlans, running trunk, but still never seen the actual need to configure the router port as promiscuous, the actual layer 3 gateway.
I can’t find the command on any routed interface.
The port on the switch that connects to the router will be promiscuous, but the port of the router will simply be a layer 3 port with an IP address part of that subnet.
I’d love to hear more opinions, or some actual config example.
Is there a premium member quiz for this section?
Ah yes, just found link further down the page.
VCE exam simulator v3.4.2 free download for limited time
http://www.softwaresfiles.com/index.php/2015/07/30/cisco-vce-exam-simulatorplayer/
Hallo all ,
Can you help me with dumps image and with the labs for ccnp switch 300-115 ?
Please send me at email akarimade@yahoo.com
Thanks all
@oofus
Q#1. i was thinking the same but nobody discussed about it
”Q1, Why is the answer not D, configure VTP version 3?
Even the explanation says this: “VTP version 3 does support PVLAN”
@SAM & oofus
i do believe both answers are correct. it depends on how the question is asked. but also the question asked is not clear. Let’s just assume that the switch isn’t capable of using VTP version 3. so the only solution left is to set the VTP mode to transparent
Q1. The answer is C. The first step to configuring Private VLANs is to switch to VTP Transparent mode. That is right out of the Cisco Software Configuration Guide.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swpvlan.html
Hallo all,
Can you tell me if that dumps are nit valid ?
Can you send me valid dumps on mail : {email not allowed}
Thanks,
@perplexed
I believe you are right. the router/L3 port doesn’t need to be configured as trunk, access, isolated, community, or ever promiscuous.
but the switch/ L2 port connected to gate way devices must be promiscuous as long as we have PVALNs on that switch, I guess.
Is this an objective question?
Or we need to do configuration like a sim?
@perplexed
wmohammad’s comment is correct
@slothar, that documentation is old. VTP v3 also supports PVLans in server mode.
“In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create private VLANs and when they are configured, you should not change the VTP mode from transparent to client or server mode. VTP version 3 also supports private VLANs in client and server modes.”
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html
http://www.pass4suredumps.com/300-320.html
Hi,
Recently, I personally passed CCNP Route 300-101,SWITCH 300-115,TSHOOT 300-135 exams with full marks.
I have purchased latest Premium vce dumps file that are 100% valid and I’m giving at nominal sharing cost.wanninayakegcb@gmail_com
Dear all,,,
kindly could you provide me the last upadate dumps for CCNP Route 300-101,SWITCH 300-115,TSHOOT 300-135 exams
Is this simulation? Or only issues fail on exam?
@slothar, not sure what part of your link you read but here is a little section from your link that confirms that for switches running VTP version 3, PVLans can be configured in all modes (it isn’t compulsory to change the mode to Transparent).
– If the switch is running VTP version 1 or 2, you must set VTP to transparent mode. After you configure a private VLAN, you should not change the VTP mode to client or server. For information about VTP, see Chapter14, “Configuring VTP” VTP version 3 supports private VLANs in all modes.
– With VTP version 1 or 2, after you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. VTP version 3 does support private VLANs.
– VTP version 1 and 2 do not propagate private-VLAN configuration. You must configure private VLANs on each device where you want private-VLAN ports unless the devices are running VTP version 3.
Q1 I think C is right. VTP 3 isn`t available on all switches so it will be better to set transparent
Q3
Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway?
Is A really the correct answer?
According to wikipedia this is not the case, apparently we can have more then one isolated vlan / PVLAN.
https://en.wikipedia.org/wiki/Private_VLAN
“There can be multiple Isolated VLANs in one Private VLAN domain”
Q3 – Conficting information –
Understanding Primary, Isolated, and Community Private VLANs
Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:
Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.
Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. *****You can configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html
Passed my Switch Exam! 191Q is valid. I’m pretty sure information on this site is helpful but I used study materials from this ebay seller I came across on my CCNA/CCNP Route cert prep journey. He tends to have the latest updates for all the exams he provides. He seems to not have the TShoot Cert Prep but will see if he has that lol. Onto completing my CCNP Certification!
Information to the exam:
37 Multiple Choice Questions
OSPF TShoot Simlet
LACP-STP Simulation
AAAdot1x Simulation
If you would like to use the study materials I used, here is the ebay link:
http://www.ebay.com/itm/-/322387258834?
Cheers and Good Luck!
@perplexed
I believe you are right regarding configuring a router port as promiscuous. Maybe the question wasn’t formulated correctly. Anyone who understands about layer 2 and layer 3 switching and routing will know that only a port that is attached to the switch that supports private-vlans will be configured as “promiscuous,” therefore, if a router, for instance, is attached on the other side of that link, will behave as a normal routing port, and will be configured with an Ip address, so the devices within the vlans can get out from the primary vlan. Think about “multilayer-switch.” You might want to create a virtual interface. In this case you have to map the secondary vlans on that interface.
Are all the answers here confirmed to be correct?
@certprepare
The premium member link is not working for private-vlan.
Plz fix this issue……
You must configure Transparent mode in VTP 2. The question states that you are using vtp 2, and what must be done before you configure vtp 3.
Private VLANs can only be configured when VTP is in transparent/off modes in VTP version 1 or 2 and in server/transparent/off modes in VTP version 3 when pruning is turned off
Guaranteed Latest Stuff to pass exam.
HERE Instant DOWNLOAD (NO fake GROUP)
20 US$ only
D&D – PortFast / BPDU Guard / BPDU Filter (Official)
D&D – Port Cost / Switch Port Priority / Port Priority
D&D – STP Components (Official)
D&D – LLDP-MED TLVs
vtp simplet
AAA Dot1x numbered ACL
LACP-STP on physical interface
ITS INSTANT DOWNLOAD
https://docs.google.com/document/d/1afXgWBvIWTSr8R0Mt-kDRdMmFCI3ytfuSK-1vOyWov0/edit
Q2 isn’t that supposed to be answer A
An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.
ref https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
just ignore the above, I was looking at wrong question
On which PVLAN type can host ports communicate with promiscuous ports?
A. primary
B. community
C. promiscuous
D. isolated
Answer: A
This question doesn’t make sense at all.
■ Promiscuous: The switch port connects to a router, firewall, or other common gateway
device. This port can communicate with anything else connected to the primary
or any secondary VLAN. In other words, the port is in promiscuous mode, in which
the rules of private VLANs are ignored.
■ Host : The switch port connects to a regular host that resides on an isolated or community
VLAN. The port communicates only with a promiscuous port or ports on
the same community VLAN.
So both community and isolated PVLANs can communicate with promiscuous ports.