Private VLAN
PVLANs provide layer 2 isolation between ports within the same broadcast domain.VLANs limit broadcasts to specified users.
Private VLANs (PVLANs) split the broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN.
PVLANs restrict traffic flows through their member switch ports (called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN.
These concepts seem a little bit confusing ,specially if they explain them with technical term, but please check the graphics and try to understand them
There are three types of PVLAN ports:
Here you can see the ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN.
The private VLAN always has one primary VLAN (the uplink Trunk port).
Within the primary VLAN you will find the promiscuous port. In my picture above you can see that there’s a router connected to a promiscuous port. All other ports are able to communicate with the Promiscuous Port (The switch).
Within the primary VLAN you will encounter one or more secondary VLANs, there are two types:
- Community VLAN: All ports within the community VLAN are able to communicate with each other and the promiscuous port.
- Isolated VLAN: All ports within the isolated VLAN are unable to communicate with each other but they can communicate with the promiscuous port as you can see in the graphic.
- VLAN 100 is a secondary private VLAN (community) Ports are fa0/1-5
- VLAN 200 is a secondary private VLAN (Isolated) Ports are fa0/6-10
- VLAN 250 is a secondary private VLAN (Isolated) Ports are fa0/11-15
- VLAN 300 is a primary private VLAN . Router is off.Port fa0/20
Before we start they need to be in transparent mode.We will configure VLAN 100 .200, 250 and 300 and we will set what type of VLAN they are
Now we will assign :
- the ports ,
- the private-vlan mode
- the host association
Now we will do the verification with two commands:
- show vlan private-vlan
- show int int switchport
We seee a difference between a host association and the private-vlan mapping in the results.That's because one of them is promiscuous (vlan 300) and the other one is a community VLAN (Vlan 100)
This lab initially seem a little bit confusing for a lot of people if it would be explain in technical terms, but please, check the graphic to make sure you mentally understand the concepts and everything will be fine..
This lab is done! I hope that you like it..Please like and share
Private VLAN
Reviewed by ohhhvictor
on
6:15:00 PM
Rating:
No comments: