From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Sat Jun 02 2007 - 07:33:09 ART
Hi!,
Jeffrey,
Primary VLAN: acts like the normal VLAN that we are used to.
secondary VLAN: defines basic rules for the ports that are associated with
it. The mapping between the 'primary VLAN' and the 'secondary VLAN' is what a
'PVLAN' is.
Types of ports:
Promiscuous: forward primary and secondary VLAN traffic.
Isolated can only communicate with promiscuous ports that are mapped to the
secondary VLAN.
Community can communicate with any other ports in the same secondary VLAN.
Also they can communicate with promiscuous ports mapped to the secondary VLAN
as well.
More information at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225sed/scg/swpv
lan.htm#wp1038472
Please sorry for this long email, but the Delete button also works well :D
So having this configuration as the base line
R1 --- sw1 --- R3
------R4
R1, R3 and R4 are just host in the network.
Show cdp neigh from Sw1 to give a clear picture of the topology, just in case
in comes mess up
NLISw1#show cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform
Port ID
R4 Fas 0/4 152 R S I 2811
Fas 0/0
R3 Fas 0/3 145 R S I 2811
Fas 0/0
R1 Fas 0/1 74 R S I 2811
Fas 0/0
NLISw1#
So we have basic reachability here in this network, every host in the same
vlan
R3(config)#exit
R3#ping 10.10.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
*Jun 2 10:01:46.031: %SYS-5-CONFIG_I: Configured from console by
console.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#
R3#
R3#
R3#ping 10.10.255.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#
Now what happens if you are hosting those "R3 & R4" to a customer in that
particular Addresing (a public one" and you need to provide isolation between
this 2 devices..
Remmember the addressing recomendation per vlan, well you will need then to
use new addressing, so at the end Private Vlan can be also included into CIDR
and NAT considerations, lol :D
Something that I have been digging about the relationship between Protected
Ports and Private Vlan is that Trunk ports carry traffic from regular VLANs
and also from primary, isolated, and community VLANs, which I consider is the
difference with protected ports "NLISw1(config-if)#switchport protected" more
about this at
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225sed/scg/swpv
lan.htm#wp1038479
the cook list from the link above:
1:
Set VTP mode to transparent
Switch(config)# vtp mode transparent
Scalability: The switch supports up to 1005 active VLANs. If a service
provider assigns one VLAN per customer, this limits the numbers of customers
the service provider can support.
NLISw1(config)#vlan 3000
NLISw1(config-vlan)#exit
% Failed to create VLANs 3000
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.
NLISw1(config)#
00:05:49: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 3000: extended
VLAN(s) not allowed in current VTP mode
more about this at, so that is what I think is like the main reason, but
anyways I could be completely wrong :D
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configura
tion/guide/vlans.html#wp1033025
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/configura
tion/guide/spantree.html#wp1044385
Anyways the switch is decent enough to tell you that..
NLISw1(config-vlan)#private-vlan isolated
%Private VLANs can only be configured when VTP is in transparent mode.
Basic command
NLISw1(config)#vlan 20
NLISw1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
step 2:
Taking part of the email that Antony has send you:
!!!Create the secondary VLANs
!!!Switch(config)# vlan 10
!!!Swtich(config-vlan)# private-vlan community
!!!Swtich(config-vlan)# vlan 20
!!!Swtich(config-vlan)# private-vlan isolated
step 3:
!!!Create the primary VLAN associate the secondary VLANs
!!!Switch(config)# vlan 100
!!!Swtich(config-vlan)# private vlan primary
!!!Swtich(config-vlan)# private-vlan association 10,20
so the configuration in the switch
NLISw1(config-if)#vlan 100
NLISw1(config-vlan)#priva pri
NLISw1(config-vlan)#pri as 10,20
NLISw1(config-vlan)#exit
to associate the ports this configuration commands:
NLISw1(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
NLISw1(config-if)#switchport private-vlan host-association 100 ?
<1006-4094> Secondary extended range VLAN ID of the private VLAN host port
association
<2-1001> Secondary normal range VLAN ID of the private VLAN host port
association
so the Commands are:
NLISw1(config-if)#int f0/3
NLISw1(config-if)#switchport private-vlan host-association 100 20
NLISw1(config-if)#int f0/4
NLISw1(config-if)#switchport private-vlan host-association 100 10
!!!Configure the promiscuous port
!!!Switch(config)# interface fastethernet 2/1
!!!Switch(config-if)# switchport mode private-vlan promiscuous
!!!Switch(config-if)# switchport private-vlan mapping 100 10,20
NLISw1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous
port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous
port mapping
NLISw1(config-if)#interface F0/1
NLISw1(config-if)#switchport private-vlan mapping 100 add 10,20
NLISw1(config-if)#do show vlan private
Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------
100 10 community Fa0/1
100 20 isolated Fa0/1, Fa0/3
NLISw1(config-if)#int range f0/3 - 4
NLISw1(config-if-range)#switchport private-vlan host-association 100 10
NLISw1(config-if-range)#
rack10>4
[Resuming connection 4 to R4 ... ]
R4#ping 10.10.255.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#
R4#ping 10.10.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#
interface FastEthernet0/3
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end
NLISw1(config-if-range)#do show run int f0/4
Building configuration...
Current configuration : 117 bytes
!
interface FastEthernet0/4
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end
NLISw1(config-if-range)#do show vlan priva
Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------
100 10 community Fa0/1, Fa0/3, Fa0/4
100 20 isolated Fa0/1
NLISw1(config-if-range)#
Now,
NLISw1(config-if)#interface FastEthernet0/3
NLISw1(config-if)# switchport private-vlan host-association 100 20
NLISw1(config-if)#do show run int f0/3
Building configuration...
Current configuration : 117 bytes
!
interface FastEthernet0/3
switchport private-vlan host-association 100 20
switchport mode private-vlan host
end
NLISw1(config-if)#do show vlan priva
Primary Secondary Type Ports
------- --------- -----------------
------------------------------------------
100 10 community Fa0/1, Fa0/4
100 20 isolated Fa0/1, Fa0/3
so from R3 now
R3#ping 10.10.255.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 10.10.255.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R3#ping 10.10.255.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#
So up to here Vlan 10 is a community vlan, Vlan 20 is an isolated vlan
and we have it assigned to port f0/3 as Isolated and f0/4 as community
and port f0/1 is configured to be a promiscous port, if you want to make this
comparation like in a data center, you can think that R3 is a host from
Customer A and R4 is for Customer B R1 would be then the Gateway from that
POP.
just my 2 cents here
HTH
thanks,
Victor Cappuccio.-
- CCSI# 31452
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
thanks,
Victor Cappuccio.-
- CCSI# 31452
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
-----Original Message-----
From: nobody@groupstudy.com on behalf of anthony.sequeira@thomson.com
Sent: Fri 6/1/2007 11:02
To: j.biggs@myactv.net; ccielab@groupstudy.com
Subject: RE: Private VLAN's......
I am slammed with work at this moment - so I do not have time for a narrative
on your excellent point/question - but I did want to forward along an EXAMPLE
CONFIG, which most of the docs lack....
Set VTP mode to transparent
Switch(config)# vtp mode transparent
Create the secondary VLANs
Switch(config)# vlan 10
Swtich(config-vlan)# private-vlan community
Swtich(config-vlan)# vlan 20
Swtich(config-vlan)# private-vlan isolated