Network Automation Engineer: Roger Perkin CCIE 50038

CCIE, Wireless, F5, Ansible, AWS, Cloud and data centre to Network Automation - my journey as a network engineer

Home > Cisco > switching > Private Vlans Explained

Private Vlans Explained

Introduction to Private Vlans

A normal Vlan is essentially a broadcast domain and all the devices if addressed on the same subnet can communicate with each other. In shared hosting environments, to save on IP address space and Vlans it would be great if you could isolate devices within the same vlan and prevent them from communicating with each other. If a server from company A was compromised you would not want it being able to talk to a server from company B within the same Vlan.

One solution to this problem is protected ports but this only works across a single switch, if you require device isolation within a vlan across multiple switches you are going to need to use a Private Vlan.

Private Vlans Explained

For the rest of this post I will be using the topology below.

private vlans explained

 

PRIVATE VLAN TERMS

There are three types of ports within private vlans, Promiscuous, Community and Isolated.

  • PROMISCUOUS – A promiscuous port is normally the way out of the network and all ports within the private vlan can talk to the promiscuous port on Layer 2.
  • COMMUNITY – A community port can talk to other community ports, the promiscuous port but not to an isolated port.
  • ISOLATED – An isolated port cannot talk to anything except the promiscuous port.

There are then two types of Vlan used to enable communication between the different private vlan types, a primary vlan and secondary vlan.

  • PRIMARY VLAN – This is the main vlan used to provide communication to the promiscuous port and to the isolated port
  • SECONDARY VLAN ISOLATED – This vlan carries the traffic from the Isolated ports to the promiscuous port – you only need one.
  • SECONDARY VLAN COMMUNITY – This vlan carries the traffic from the community Vlan to the promiscuous port, you can have multiple community vlans.

Private Vlan Configuration

Now you have an understanding of the basic terminology we are going to configure the private vlans defined in the diagram above.

We need to ensure there are two vlans configured on both switches.

We will make the promiscuous vlan 500, the community vlan 600 and the isolated vlan 999

First you need to ensure the switch is running in vtp transparent mode

SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW1(config)

SW2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#

Next we need to define the vlan, as the switch is running in transparent mode we have to do this on both switches, we could have configured the vlans first while the switches were running vtp. You just need to ensure that the vlans you are using for private vlans exist on both switches and also any switches that may be in the transit path.

 

SW1(config)#vlan 500,600,999
SW1(config-vlan)#

SW2(config)#vlan 500,600,999
SW2(config-vlan)#

We now need to make vlan 500 the primary vlan – you can see from the ? the options available for configuring private vlans we will be exploring all of these.

SW1(config-vlan)#private-vlan ?
association  Configure association between private VLANs
community    Configure the VLAN as a community private VLAN
isolated     Configure the VLAN as an isolated private VLAN
primary      Configure the VLAN as a primary private VLAN

SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#

Next we will make vlan 600 a community vlan and vlan 999 and isolated vlan

SW1(config)#vlan 600
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan com
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#vlan 999
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan is
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#

We now need to associate the primary and secondary vlans together, this needs to be done on both switches.

SW1(config)#vlan 500
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan ass
SW1(config-vlan)#private-vlan association 600,999
SW1(config-vlan)#

SW2(config)#vlan 500
SW2(config-vlan)#pri
SW2(config-vlan)#private-vlan ass
SW2(config-vlan)#private-vlan association 600,999
SW2(config-vlan)#

Defining the host ports

Now the vlan configuration has been done we need to define the host ports with a switchport private vlan host association. Port Fa0/1 on SW1 connects to R1 and  Fa0/1 on SW2 connects to R2 these are going to be associated with the community vlan and the primary. The port will also be defined as a private-vlan host.

SW1(config)#int fa0/1
SW1(config-if)#description to R1
SW1(config-if)#switchport priv
SW1(config-if)#switchport private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 600
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#spanning-tree portfast

The same needs to be done on SW2

SW2(config)#int fa0/1
SW2(config-if)#description to R2
SW2(config-if)#switchport priv
SW2(config-if)#switchport private-vlan host
SW2(config-if)#switchport private-vlan host-association 500 600
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#spanning-tree portfa

Finally we need to do the same for R3 and R4 however for these routers they are going to associated with the Isolated Vlan which means they will not be able to talk to each other but only with the promiscuous port.

SW1(config)#int fa0/3
SW1(config-if)#description to R3
SW1(config-if)#switchport private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 999
SW1(config-if)#spanning-tree portfast

The same again on SW2 for R4

SW1(config)#int fa0/4
SW2(config-if)#description to R4
SW2(config-if)#switchport private-vlan host
SW2(config-if)#switchport private-vlan host-association 500 999
SW2(config-if)#spanning-tree portfast

Verify the Private Vlan Configuration

To verify your work you can run the show vlan private-vlan command and show vlan private-vlan type.

SW1#sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     600       community         Fa0/1
500     999       isolated          Fa0/3

SW1#sh vlan private-vlan type

Vlan Type
---- -----------------
500  primary
600  community
999  isolated

For the complete information on private vlan configuration the full Cisco Documentation for the 3560 switch which is what I was working on can be found here: www.cisco.com/…configuration/guide/swpvlan.html

Want to learn more about Network Automation?

Network Automation skills are becoming a must for network engineers of the future. Get started and learn the skills you need for the future with my course on Ansible for Network Engineers Today!

Show me more about the network automation course
hp instant ink

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Looking for Ansible Network Automation Training?


Learn how to install Ansible, write your first playbook and start automating your network today.


Check out my Ansible Network Automation Training

The Author

roger perkin ccie network automation engineer
Roger Perkin, (CCIE #50038) is a Senior Network & Security Consultant.
Currently working for Softcat plc.
Roger is an evangelist for Network Automation
and is continuing to develop skills in Ansible and the Devops culture.
Contact

Ansible

Where are Ansible Modules stored
Ansible IOS Command Example
Ansile Backup Cisco Config
How to Install Ansible Tower
Ansible Network Automation Training
Resources

Python

Best way to learn Python
Python for Network Automation

Home Office

Best Vertical Mouse
My Standing Desk
Folding Laptop Stand - Roost
How to clean computer screen and keyboard

Personal Development

How to Focus

Most Visited Pages

Software Upgrade Guides
Wireless Console Cable
Network Automation Tools 
Bose Connect Windows 10
Private VLANs explained
Cisco ISE Overview