From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Sat Jun 16 2007 - 07:08:36 ART
An isolated or community Private Vlan (secondary) can only have ONE primary
VLAN
associated with it.
Clearly, PVLAN concept is quite simple, but Cisco implemenation and
configuration
is somewhat confusing, with all that mapping and associations :) Here is how
I explain
PVlans to myself.
To begin with, let's start with a concept of Private VLAN domain. This is
the basic entity,
and what it does, is specifies how an L2 briding domain (an L2 broadcast
ethernet *cable*)
is split into *subdomains*. To understand the concept in-depth let's imagine
that a VLAN
is a *wire* or *cable* that interconnects many physical *ports*. Next we
need to loosen the
concept of a *cable*, to have *subdomains within* and we come with a concept
of a
*Private VLAN*. Let's see now how Cisco did it:
First they added different *port types*:
- Isolated (I): Could only communicate with a *funnel* or a Promiscuous
port.
- Community (C): Could communicate with it's *buddies* and *funnel* (Promisc
port).
- Promiscuous (P): Could communicate with anyone, and is a *funnel*.
<>
Let's stop for a second and recap that all the drama happens within a single
L2 domain,
a single *physical cable* like it was back in 10Base5 days :). So were still
under the
chains or MAC addess learning and flooding, and all those subdomains have
nothing
to do with L3 yet.
<>
To provide the required forwarding behavior, special *unidirectional* wires
are introduced,
These are new VLAN *types* (private VLANs) that have *different* frame
forwarding
behavior than the rugular VLAN does:
- Primary VLAN: forwards frames *downstream* (unidirectional!!) from P to I
and C ports.
This is an unidirectional broadcast media to feed traffic from P to all
other ports, and
this is how *funnel* feeds all other ports.
Secondary VLANs (upstream feeders):
- Isolated VLAN: forwards frames *upstream* (unidir!) from I ports to P
ports. There is only
ONE Isolated VLAN within a Private VLAN domain.
- Community VLAN: forwards frames upstream from C to C ports and from C to P
ports.
There could be many Community VLANs within a domain.
OK, so far so good. Now we see that Private VLANs are just an unidirectional
wires (not quite
true with Community VLAN, which is only unidirectional with respect to C->P
traffic flow). Clearly
this is why we could only bind a Secondary to one Primary VLAN - it's just a
wire, and we can't
use it to send multiple traffic feeds.
Let's move stright to the configuration part, and see what every
configuration step accomplishes:
Step 1: Create Primary and Secondary VLANs and bind them into PVLan domain:
!
! Creating VLANs
!
vlan 100
private-vlan primary
vlan 101
private-vlan isolated
vlan 102
private-vlan community
!
! Associating
!
vlan 100
private-vlan assoc 101,102
What this step is needed for, is to group PVLANs into a domain and establish
a formal association (for syntax checking and verifications).
Step 2:
Create Host ports and bind them to the respective PVLANs. Here you set up
*upstream* wires, to connect host ports to all possible Promiscuous ports
(primary VLAN). Note that a host port belongs to different VLANs at the same
time:
*downstream* primary and *upstream* secondary.
interface Fast x/y
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
interface range Fast x/y - z
switchport mode private-vlan host
switchport private-vlan host-association 100 102
Step 3:
Create a promiscuous port, and bind *downstream* mapping. Here you add
secondary VLANs whose traffic is received by this P port. Primary VLAN is
used to delived traffic downstream to all C/I ports as per their
associations.
interface Fast x/y
switchport mode private-vlan promisc
switchport private-vlan mapping 100 add 101,102
Here's a quick question: Could you have two P-ports sharing the same primary
VLAN, but having different secondary VLAN mappings?
---The last two questions left to be fully explained are mapping L2 PVLAN domain to a SVI interface on a switch, and interconnecting PVLAN domains on multiple switches. I would gladly go into details explaining those, if someone would need it. It's just that I already wrote too much :) Thanks for all your attention.
HTH
-- Petr Lapukhov, CCIE #16379 (R&S/Security/SP) petr@internetworkexpert.com
Internetwork Expert, Inc. http://www.InternetworkExpert.com
2007/6/15, Mike Kraus (mikraus) <mikraus@cisco.com>: > > 3560swt001(config)#vlan 850 > 3560swt001(config-vlan)# private-vlan primary > 3560swt001(config-vlan)#vlan 851 > 3560swt001(config-vlan)# private-vlan isolated > 3560swt001(config-vlan)#vlan 850 > 3560swt001(config-vlan)# private-vlan association 851 > 3560swt001(config-vlan)#vlan 860 > 3560swt001(config-vlan)# private-vlan primary > 3560swt001(config-vlan)# private-vlan association 851 > %Command rejected: invalid private vlan association between vlan860 and > vlan851. VLAN 851 is already associated with VLAN 850. > > So, as the docs state: "An isolated or community VLAN can have only one > primary VLAN associated with it. " > > > ________________________________ > > From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com] > Sent: Friday, June 15, 2007 10:08 AM > To: Mike Kraus (mikraus) > Cc: roehsler; ccielab@groupstudy.com > Subject: Re: quick private vlan question > > > can you share the whole configs - what is vlan851 configured as? > > > On 6/13/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote: > > Doesn't let you do it: > > Switch(config-vlan)#private-vlan association 851 > %Command rejected: invalid private vlan association between > vlan860 and > vlan851. VLAN 851 is already associated with VLAN 850. > > (3560 running 12.2(35)SE, advanced IP services) > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On > Behalf Of > roehsler > Sent: Thursday, May 03, 2007 9:39 AM > To: Anthony Bonilla > Cc: ccielab@groupstudy.com > Subject: Re: quick private vlan question > > Hi, > > Are you sure? Sorry for the confusion but I just read: > > > http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg > > /swpvlan.htm > > Which states: > > A primary VLAN can have one isolated VLAN and multiple community > VLANs > associated with it. An isolated or community VLAN can have only > one > primary VLAN associated with it. > > Thanks again. > > On 5/3/07, Anthony Bonilla <anthonybonilla.ccie@gmail.com> > wrote: > > Yes, you can use the same number for isolated VLANs and they > will > > still not be able to talk to each other. Thanks. > > > > > > > > On 5/3/07, roehsler <roehsler@gmail.com> wrote: > > > Hi, > > > > > > Lets say I have multiple primary vlans: > > > > > > vlan_2 > > > vlan_3 > > > vlan_4 > > > > > > And I have one isloated vlan: > > > > > > vlan_10 > > > > > > Can I use the same isolated vlan in each/all of my primary > vlans? I > > > think the answer is yes. > > > > > > Thanks > > > > > > David > > > > > > > > > ______________________________________________________________________ > > _ > > > Subscription information may be found at: > > > http://www.groupstudy.com/list/CCIELab.html > > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:49 ART