The Bit-Bucket > CCIE > Topic Notes > Infrastructure Security > Private VLANs Topic Notes

Private VLANs Topic Notes

Private VLANs: Overview

Private VLANs Overview

  • Provides a method to partition a VLAN into an arbitrary number of non-overlapping secondary VLANs
  • Provides better LAN security
  • VTP version 1/2 doesn’t support PVLANs
    • VTP Version 3 does support PVLANs and Extended VLANs
  • PVLANs can be carried over 802.1Q trunk links
  • Isolated PVLAN trunk links can also be created

 

 

Private VLANs: VLANs

Private VLANs: VLANs

  • 3 different variants of VLAN
    • Primary
      • Divided into secondary VLANs
      • Associated with promiscuous ports
      • Command:
        • (config)#vlan <vlan-id>
        • (config-vlan)#private-vlan primary
        • (config-vlan)#private-vlan association <vlan ids>
    • Secondary – Isolated
      • Devices in this VLAN can only talk to promiscuous ports not other devices in same VLAN
      • Can only be 1 Isolated VLAN per Primary VLAN
      • Command:
        • (config)#vlan <vlad-id>
        • (config-vlan)#private-vlan isolated
    • Secondary – Community
      • Devices in the same community can talk to each other and promiscuous ports
      • Can’t talk to members of other communities
      • Command:
        • (config)#vlan <vlan id>
        • (config-vlan)#private-vlan community

 

private-vlans

 

 

Private VLANs: Port Types

Private VLANs: Port Types

  • Promiscuous Ports
    • Primary VLAN
    • Communicates with all other ports
    • Command:
      • (config-if)#switchport mode private-vlan promiscuous – unneeded if L3 SVI interface
      • (config-if)#switchport private-vlan mapping <primary vlan> [add | remove] <secondary vlan list>
      • If using a L3 SVI:
        • (config-if)#private-vlan mapping [add | remove] <secondary vlan list>
  • Host Ports
    • Isolated VLAN
      • Secondary VLAN
      • Communicates with promiscuous ports only
      • Command:
        • (config-if)#switchport mode private-vlan host
        • (config-if)#switchport private-vlan host association <primary vlan-id> <secondary isolated vlan-id>
    • Community VLAN
      • Secondary VLAN
      • Communicates with promiscuous ports or other members of that community
      • Command:
        • (config-if)#switchport mode private-vlan host
        • (config-if)#switchport private-vlan host association <primary vlan-id> <secondary community vlan-id>

 

Private VLANs: Order of Creation

Private VLANs: Order of Creation

  1. Set VTP to version 3 or mode Transparent
  2. Create Secondary VLANs
  3. Create Primary VLAN
  4. Associate Secondary with Primary
  5. Configure port as Host or Promiscuous
  6. Configure Private VLAN association on ports
  7. Configure VLAN mapping on an internal IP interface

 

Troubleshooting Commands

Troubleshooting Commands

  •  show interface status – Displays interface VLAN allicocation
  • show vlan private-vlan [type] – Displays PVLAN information
  • show interface <IF> switchport – Displays PVLAN configuration on interface
  • show interface private-vlan mapping – Displays PVLAN mapping information

 

Print Friendly, PDF & Email