- Allows for layer 2 isolation between ports within same VLAN.
- Expansion of protected port feature.
- Allows isolation across multiple switches.
- Allows for additional granular control within same VLAN.
- requires ‘sub-vlan’ within ‘main’ vlan.
- Main VLAN
- Known as primary vlan
- Sub-VLAN
- Known as secondary vlans
- 2 types
- Community
- Isolated
- Ports
- Promiscuous ports
- Connect to router.
- Host ports
- Connect to end hosts
- Either isolated or community ports
- Promiscuous ports
- Primary VLAN
- Carries traffic from promiscuous to host ports.
- Isolated VLAN
- Carries traffic from host ports to promiscuous ports.
- Community VLAN
- Carries traffic between community host ports and to the promiscuous port
- VTP 1 and 2
- Cannot advertise extended VLANs
- Private VLANs are extended VLANs
- Implies that Private VLAN config must be manually synced.
- Cannot advertise extended VLANs
- VTP 3
- Private and extended can be advertised.
In the topology above we’re running a primary VLAN of 500, a community private VLAN of 501, and an isolated VLAN 502. H1-2 are in 501 and 502 is in H3. R1 will be connected to our promiscuous port acting as a gateway.
R1 – 192.168.1.254/24
H1 – 192.168.1.1/24
H2 – 192.168.1.2/24
H3 – 192.168.1.3/24
All configurations will occur on SW1.
Community VLAN Creation:
Isolated VLAN Creation:
Primary VLAN Creation:
Host port & VLAN Association:
Assign Promiscuous:
After these configurations are in place, the two hosts in community VLAN 501 will be able to communicate with each other and the gateway at 192.168.1.254. Pings will fail going from H1 or H2 to the isolated VLAN member H3. H3 will only be able to communicate with the gateway.
NOTE:
- If there were another member of the isolated VLAN, it would still not be able to communicate with H3.
- Troubleshooting commands:
- ‘show interface gig0/0 switchport’
- ‘show vlan private-vlan’
- ‘show vlan private-vlan type’
mickx009.org 