Private VLAN
|
Quick review: The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANs and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs inside VLAN”. There are three types of ports in PVLAN: * Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
For example, in the topology above: + Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with each other. + Host C can communicate with Host D because they are in the same community but Host C cannot communicate with E and F because they are in a different community. + All hosts can go outside through promiscuous port. Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs are isolated or community VLANs.
Configuration of PVLAN: 1. Set VTP mode to transparent Sample configuration used the topology above: //First set VTP to transparent mode //Create secondary VLANs //Create primary VLAN //Associate secondary (isolated, community) VLANs to the primary VLAN //Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the secondary VLAN. //Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN 103): Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F To check the configuration, use this command: Switch# show vlan private-vlan |
Question 1
Explanation
Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.
Question 2
Explanation
There are three types of ports in PVLAN:
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.
Question 3
Explanation
Isolated VLAN is a secondary VLAN and it can only communicate with the promiscuous port. Also, there can be only 1 isolated VLAN per PVLAN (although this isolated VLAN can be configured to many ports, but these ports cannot communicate with each other).
Question 4
Explanation
Promiscuous port: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
Question 5
Explanation
The default gateway is usually connected to promiscuous port so that all devices in PVLAN can go outside.
Question 6
Question 7
Question 8
Question 9
@certprepare
The premium member link is not working for private-vlan.
Plz fix this issue……
You must configure Transparent mode in VTP 2. The question states that you are using vtp 2, and what must be done before you configure vtp 3.
Private VLANs can only be configured when VTP is in transparent/off modes in VTP version 1 or 2 and in server/transparent/off modes in VTP version 3 when pruning is turned off
Guaranteed Latest Stuff to pass exam.
HERE Instant DOWNLOAD (NO fake GROUP)
20 US$ only
D&D – PortFast / BPDU Guard / BPDU Filter (Official)
D&D – Port Cost / Switch Port Priority / Port Priority
D&D – STP Components (Official)
D&D – LLDP-MED TLVs
vtp simplet
AAA Dot1x numbered ACL
LACP-STP on physical interface
ITS INSTANT DOWNLOAD
https://docs.google.com/document/d/1afXgWBvIWTSr8R0Mt-kDRdMmFCI3ytfuSK-1vOyWov0/edit
Q2 isn’t that supposed to be answer A
An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.
ref https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
just ignore the above, I was looking at wrong question
On which PVLAN type can host ports communicate with promiscuous ports?
A. primary
B. community
C. promiscuous
D. isolated
Answer: A
This question doesn’t make sense at all.
■ Promiscuous: The switch port connects to a router, firewall, or other common gateway
device. This port can communicate with anything else connected to the primary
or any secondary VLAN. In other words, the port is in promiscuous mode, in which
the rules of private VLANs are ignored.
■ Host : The switch port connects to a regular host that resides on an isolated or community
VLAN. The port communicates only with a promiscuous port or ports on
the same community VLAN.
So both community and isolated PVLANs can communicate with promiscuous ports.
An Nonymouse…
You have the following;
PVLANS PORT-Types can be either HOSTS or PROMISCUOUS.
– As set under the interface/port when configuring.
PVLANS Types can be Community (host port-type) Isolated (host port-type) or Primary (Promiscuous port-type)
– As set within the Vlan config.
The question asks “on which PVLAN Type can host ports (***which can be either isolated or community**) communicate with promiscuous ports”
The only PVLAN type that allows this is the Primary.
So yes, both community and isolated PVLANS types can communicate with promiscuous PORT-types like you said, but they are both HOST PORT-types and to communicate with the PROMISCUOUS PORT-type they must use the PRIMARY pvlan type to do so.
Cisco are known to word some questions in a way that really challenges your understanding of things.
Can anyone answer”how many isolated vlans can one pvlan have? ” This lousy has two different answers
Q1- Cisco has contradicting information :
here : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swpvlan.html
it says : VTP version 3 does support private VLANs
and here : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/configuring_private_vlans.pdf
it says : Private vlans are supported in transparent mode for VTP 1, 2 and 3. Private VLANS are also supported on server mode with VTP 3.
Which two statements about isolated private VLAN ports are true? (Choose two )
A. They can communicate only with promiscuous ports
B. They can be configured on the EtherChannel ports
C. They can be configured on more than one port in the same VLAN
D. They can be configured on only port on a device.
does someone know the answer of this question?
@rachel
From Cisco PVLAN config guide:
‘An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.’
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.pdf
Question 10 does not make much sense. Can some one help please ?
Q10 Correct answer is indeed A.
* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.