private vlan

 

If you have really private traffic and want to isolate it at Layer-2 level , all right, you are welcome to Private VLAN. You can think a private VLAN like “VLAN in a VLAN”.There are many ways to set up security , but PVLANs do it at Layer-2. You can use access-lists , IPS , IDS and etc. too surely but one more time i am saying it this is a Layer-2 mechanism. You can create more VLANs at layer-2 to do this security surely but it is not gonna be so much effective. You need to design new VLANs so that means you need to design new IP blocks too. So easier way is making private VLANs.

There are three port types while we are using private VLANs :

Promiscuous: A promiscuous port can communicate with all the other port types including promiscous, community and isolated.

Community: Community port can communicate with themselves and with their promiscous ports.They also can’t communicate directly with another community which has different community id in the same primary VLAN.

Isolated: Isolated ports can not communicate with other isolated ports too even if they are in same VLAN. They can just communicate with promiscuous ports. So question is “how we can configure private VLAN” right ? Here is the answer from networkel.com :

PRIVATE VLAN CONFIGURATION

pvlan example

*** Assuming primary VLAN is 200…

SWITCH_A(conf)#vtp mode transparent
SWITCH_A(conf)#vlan 200
SWITCH_A(config-vlan)#private-vlan primary
SWITCH_A(conf)#vlan 205
SWITCH_A(config-vlan)#private-vlan community
SWITCH_A(conf)#vlan 210
SWITCH_A(config-vlan)#private-vlan isolated

 

 

SWITCH_A(conf)#vlan 200
SWITCH_A(config-vlan)#private-vlan association 205,210
SWITCH_A(conf)#interface Fa 4/24
SWITCH_A(conf)#switchport private-vlan host association 200 205
SWITCH_A(conf)#interface Fa 4/25
SWITCH_A(conf)#switchport private-vlan host association 200 205
SWITCH_A(conf)#interface Fa 4/26
SWITCH_A(conf)#switchport private-vlan host association 200 210
SWITCH_A(conf)#interface Fa 4/27
SWITCH_A(conf)#switchport private-vlan promiscuous
SWITCH_A(conf)#interface Fa 4/24
SWITCH_A(conf)#switchport private-vlan mapping 200 205,210

 

 

We can verify private vlans with the command below :

SWITCH_A#show vlan private-vlan