Blog Home | INE Home | Members | Contact Us | Subscribe Free Resources View Archives All Access Pass VLANs Revisited 14 Private Posted by Petr Lapukhov, 4xCCIE/CCDE in Advanced Security,Security,Switching CCIE Bloggers Search Jul 65 Comments Search Submit Due to the non-decreasing interest to the post about Private VLANs, I decided to make another one, more detailed – including a diagram and verification techniques Categories Introduction Select Category To begin with, recall that VLAN is essentially a broadcast domain Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router In reality, different VLANs normally map to different IP subnets When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP) In turn, the router may either permit or forbid communications between sub-VLANs using access-lists Commonly, these configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them Private VLANs Terminology The following is the reference diagram that we are going to use to illustrate Private VLAN concepts and functionality For our sample configuration, we take VLAN 1000 and divide it into three PVLANs – sub-VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only) Router R6 will be used as layer device, to resolve the layer communication issue We name VLAN 1000 as “Primary†and classify the ports, assigned to this VLAN, based on their types: Promiscuous (“Pâ€) port: Usually connects to a router This port type is allowed to send and receive L2 frames from any other port on the VLAN Isolated (“Iâ€) port: This type of port is only allowed to communicate with “Pâ€-ports – i.e., they are “stub” port You commonly see these ports connecting to hosts Community (“Câ€) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “Pâ€-ports In order to implement sub-VLAN behavior, we need to define how packets are forwarded between different types of ports We group the VLANs in “Primary” and “Secondary” Primary VLAN (VLAN 1000 in our example) This VLAN is used to forward frames downstream from â €œPâ€-ports to all other port types (“I†and “C†ports) in the system Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P†to â €œI†and “Câ€) Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports Since Isolated ports not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN CCIE Bloggers Brian Dennis CCIE #2210 Routing & Sw itching ISP Dial Security Service Provider Voice Brian McGahan CCIE #8593 Routing & Sw itching Security Service Provider Petr Lapukhov CCIE #16379 Routing & Sw itching Security Service Provider Voice Mark Snow CCIE #14073 Voice Security Popular Posts CCNA R&S Exam Course and CCNA R&S Video Flashcards - How Private VLANs Work Free Streaming Video Access! SO Many Voice Updates! Here are the key aspects of Private VLAN functioning: New AAP Streaming Video Layout and Transcriptions The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts The Isolated VLAN transports frames from the stub hosts upstream to the router The Community VLANs allow bi-directional frame exchange withing a single group, in addition to forwarding frames upstream towards “P”-ports Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs Private VLANs could be trunked The secondary VLAN numbers are used to tag frames, just as with regular VLANs, and the primary VLAN traffic is trunked as well However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating swtich, as it’s not possible to use VTPv2 to dissiminate that information This due to the fact that VTPv2 has no TLVs to carry private VLANs information VTPv3 was designed to overcome this limitation among others Configuring Private VLANs We have primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4) Step 1: First, disable VTP, i.e enable VTP transparent mode After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain: SW1: vtp mode transparent ! ! Creating primary VLAN, which is shared among secondary’s ! vlan 1000 private-vlan primary ! ! Community VLAN for R1 and R2: allows a “subVLAN†within a Primary VLAN ! vlan 1012 private-vlan community ! ! Community VLAN for R3 and R4 ! vlan 1034 private-vlan community ! ! Isolated VLAN: Connects all stub hosts to router ! Remember - only one isolated vlan per primary VLAN ! In our case, isolates R5 only ! vlan 1055 private-vlan isolated ! ! Associating the primary with secondary’s ! vlan 1000 private-vlan association 1012,1034,1055 This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications) Repeat the same operations on SW2, since VTP has been disabled Step 2: Configure host ports and bind them to the respective isolated PVLANs Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary Also, enable trunking between switches, to allow private VLANs traffic to pass between switches SW1: ! ! Community port (links R1 to R2 and “Pâ€-ports) ! interface FastEthernet0/1 description == R1 switchport private-vlan host-association 1000 1012 switchport mode private-vlan host spanning-tree portfast ! ! Community port (links R3 to R4 and “Pâ€-ports) ! interface FastEthernet0/3 description == R3 switchport private-vlan host-association 1000 1034 switchport mode private-vlan host spanning-tree portfast ! ! Isolated port (uses isolated VLAN to talk to “Pâ€-ports) ! interface FastEthernet0/5 description == R5 switchport private-vlan host-association 1000 1055 switchport mode private-vlan host spanning-tree portfast ! ! Trunk port ! interface FastEthernet 0/13 switchport trunk encapsulation dot1q switchport mode trunk SW2: interface FastEthernet0/2 description == R2 switchport private-vlan host-association 1000 1012 switchport mode private-vlan host spanning-tree portfast ! interface FastEthernet0/4 description == R4 switchport private-vlan host-association 1000 1034 switchport mode private-vlan host spanning-tree portfast ! ! Trunk port ! interface FastEthernet 0/13 switchport trunk encapsulation dot1q switchport mode trunk Next, Verify the configuration on SW1: Rack1SW1#show vlan id 1012 VLAN Name Status Ports - 1012 VLAN1012 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1012 enet 101012 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1012 community Fa0/1 Rack1SW1#show vlan id 1034 VLAN Name Status Ports - 1034 VLAN1034 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1034 enet 101034 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1034 community Fa0/3 Rack1SW1#show vlan id 1055 VLAN Name Status Ports - 1055 VLAN1055 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1055 enet 101055 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1055 isolated Fa0/5 Rack1SW1#show interfaces fastEthernet 0/13 trunk Port Mode Encapsulation Status Native vlan Fa0/13 desirable 802.1q trunking Port Vlans allowed on trunk Fa0/13 1-4094 Port Vlans allowed and active in management domain Fa0/13 1,1000,1012,1034,1055 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,1000,1012,1034,1055 Verify on SW2: Rack1SW2#show vlan id 1000 VLAN Name Status Ports - 1000 VLAN1000 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1000 enet 101000 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1012 community Fa0/2, Fa0/6 1000 1034 community Fa0/4, Fa0/6 1000 1055 isolated Fa0/6 Rack1SW2#show vlan id 1012 VLAN Name Status Ports - 1012 VLAN1012 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1012 enet 101012 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1012 community Fa0/2, Fa0/6 Rack1SW2#show vlan id 1034 VLAN Name Status Ports - 1034 VLAN1034 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1034 enet 101034 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1034 community Fa0/4, Fa0/6 Rack1SW2#show vlan id 1055 VLAN Name Status Ports - 1055 VLAN1055 VLAN Type active SAID MTU Fa0/13 Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - - -1055 enet 101055 1500 - - - - - 0 Remote SPAN VLAN -Disabled Primary Secondary Type Ports - - - -1000 1055 isolated Fa0/6 Rack1SW2#show interface fastEthernet 0/13 trunk Port Mode Encapsulation Status Native vlan Fa0/13 desirable 802.1q trunking Port Vlans allowed on trunk Fa0/13 1-4094 Port Vlans allowed and active in management domain Fa0/13 1,1000,1012,1034,1055 Port Vlans in spanning tree forwarding state and not pruned Fa0/13 1,1000,1012,1034,1055 Step 3: Create a promiscuous port and configure downstream mappings Here we add secondary VLANs for which traffic is received by this particular “Pâ€-port Primary VLAN is used to send traffic downstream to all “C†and â €œI†ports per their associations SW2: ! ! Promiscuous port, mapped to all secondary VLANs ! interface FastEthernet0/6 description == R6 switchport private-vlan mapping 1000 1012,1034,1055 switchport mode private-vlan promiscuous spanning-tree portfast Verify the promiscuous port configuration: Rack1SW2#show int fa 0/6 switch | beg private Administrative Mode: private-vlan promiscuous Operational Mode: private-vlan promiscuous Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: (default) Trunking Native Mode VLAN: (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) If you need to configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only Obviously that’s because all secondary VLANs are “subordinates” of primary After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs SW1: ! ! SW1 SVI is mapped to all secondary VLANs ! interface Vlan 1000 ip address 10.0.0.7 255.255.255.0 private-vlan mapping 1012,1034,1055 SW2: ! ! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5 ! interface Vlan1000 ip address 10.0.0.8 255.255.255.0 private-vlan mapping 1012,1034 Now to verify the configuration, configure R1-R6 interfaces in subnet “10.0.0.0/24†and ping broadcast addresses Rack1R1#ping 10.0.0.255 repeat Type escape sequence to abort Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is seconds: Reply to request from 10.0.0.7, ms Reply to request from 10.0.0.2, ms Reply to request from 10.0.0.6, ms Reply to request from 10.0.0.8, ms Rack1R3#ping 10.0.0.255 repeat Type escape sequence to abort Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is seconds: Reply to request from 10.0.0.7, ms Reply to request from 10.0.0.4, ms Reply to request from 10.0.0.6, ms Reply to request from 10.0.0.8, ms Rack1R5#ping 10.0.0.255 repeat Type escape sequence to abort Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is seconds: Reply to request from 10.0.0.7, ms Reply to request from 10.0.0.6, ms Rack1R6#ping 10.0.0.255 repeat Type escape sequence to abort Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is seconds: Reply to request from 10.0.0.1, ms Reply to request from 10.0.0.7, ms Reply to request from 10.0.0.2, ms Reply to request from 10.0.0.5, ms Reply to request from 10.0.0.3, ms Reply to request from 10.0.0.4, ms Reply to request from 10.0.0.8, ms Lastly, there is another feature, called protected port or “Private VLAN edge†The feature is pretty basic and is available even on low-end Cisco switches It allows isolating ports in the same VLAN Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non-protected) ports within the same VLAN) Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security Example: interface range FastEthernet 0/1 - switchport mode access switchport protected switchport block unicast switchport block multicast Tags: 3560, arp, ccie, community, isolated, level2, private-vlan, promiscuous, vlan Download this page as a PDF About Petr Lapukhov, 4xCCIE/CCDE: Petr Lapukhov's career in IT begain in 1988 w ith a focus on computer programming, and progressed into netw orking w ith his first exposure to Novell NetWare in 1991 Initially involved w ith Kazan State University's campus netw ork support and UNIX system administration, he w ent through the path of becoming a netw orking consultant, taking part in many netw ork deployment projects Petr currently has over 12 years of experience w orking in the Cisco netw orking field, and is the only person in the w orld to have obtained four CCIEs in under tw o years, passing each on his first attempt Petr is an exceptional case in that he has been w orking w ith all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website You can leave a response, or trackback from your own site 65 Responses to “Private VLANs Revisited” July 14, 2008 at 11:19 am TimS Very useful info Thanks Reply July 14, 2008 at 11:35 am Amit Chopra Excellent work The amazing part is that it is FREE for all people without asking any thing… I think soon this blog will have everything Where is my printer? I need to print this blog Damm… Amit Chopra Reply July 14, 2008 at 3:00 pm CCIETalk.com Great writeup Petr I was thinking about doing a writeup while studying Private VLANs also because there is not much information on them But I guess now I can chill and just read your post over and over again Reply July 15, 2008 at 4:10 am Private VLANs explained » CCIETalk.com [ ] Private VLANs [ ] Reply July 15, 2008 at 5:47 am Private VLANs Revisited By Petr Lapukhov over on IE Blog | CCIE Journey [ ] Read more Leave a Reply [ ] Reply July 15, 2008 at 2:05 pm 15 July - CCIE Quickies « CCIE Pursuit Blog [ ] Internetwork Expert Blog- Petr revisits a very popular post about private VLANs: [ ] Reply July 16, 2008 at 2:54 pm Alan When enabling SVI on a switch to communicate with private VLAN members, should the “ip routing” command necessary or no? Reply July 29, 2008 at 10:31 am Understanding Private VLANs - CCIE Blog [ ] Private VLANs Revisited [ ] Reply July 30, 2008 at 5:24 am » How-to: Configure Private VLANs [ ] Private VLANs revisited [ ] Reply July 30, 2008 at 8:44 pm Danny Sze My Lab Exam coming soon I need that materials Very good and clear Thanks much Reply August 1, 2008 at 11:47 am Alexander People should not be alarmed when they see multicast and broadcast traffic on their isolated or community PVLAN ports from other PVLANs based on the same primary VTPv3 does carry the PVLAN associations (and VLAN database information for VLAN IDs > 1024 and MST vlan/instance mappings), but of course that’s kind of pointless since no one should be deploying new CatOS switches these days Reply August 1, 2008 at 8:10 pm Petr Lapukhov, CCIE #16379 To Alexander Thanks for the excellent point about VTPv3! Even though VTPv3 adds truly “opaque” information distirbution, I didnt mention the new version in the post since it’s not widely deployed/used and probably would not be Even if ported to IOS, VTP concept in general is incompatible with modern enterprise network design trend, which avoids large L2 domains However, Im looking forward to see the emerging Ethernet OAM and further development of EVCs and Metro Ethernet technologis in general This is where “truly opaque” information distribution protocol may become useful Reply August 10, 2008 at 9:13 am Private VLAN « Stupid Packet [ ] is looking for some real information on private vlans, please check out the Cisco Documentation or Internetworkexpert’s blog on private vlans No Comments so far Leave a comment RSS feed for comments on this post TrackBack URI [ ] Reply August 20, 2008 at 8:58 am Private VLAN – [ ] Anywho, if anyone is looking for some real information on private vlans, please check out the Cisco Documentation or Internetworkexpert’s blog on private vlans [ ] Reply September 16, 2008 at 1:33 pm Update for this weekend « Navfett’s Weblog [ ] Thus i revisited both concepts once more I also found off of IE.com a nice tutorial by petr about private vlans Well put and nicely done, and i did print it out for future reference, along with labbing it [ ] Reply September 19, 2008 at 8:31 pm Private Vlans revisited « Navfett’s Weblog [ ] Vlans theory last night, not only did i read over the doc cd, i also took the liberty of reading petrs Private Vlans blog post. Great stuff, he breaks it down in a very simple manner identifying the differences between, [ ] Reply October 1, 2008 at 6:03 am Pierre-Louis Hello Petr, I would like you to help me resolve a big deal with Private VLANs… I have a Cat3560 with an Access Point on Fast0/1 I would like to serve different VLANs on the Access Point but I would like to suppress traffic between clients on the same VLANs, even if one is connected by a wire or without Of course I thought immediately to use Private VLANs, but the “switchport mode private-vlan trunk” is not available on this platform… How could I that ??? With which other feature eventually ? Thanks for your help – Pierre-Louis Gingembre Reply October 2, 2008 at 4:54 pm Private VLANs « Cisco Notepad [ ] October 3, 2008 at 11:54 am | In Switching | The Scenario is from the IE blog http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/ Private VLAN Diagram (from IE [ ] Reply November 1, 2008 at 5:52 am steve nowell That explanation is hands down the best one I have found Covers all relevant topic while remaining easily understandable Many thanks! Reply November 3, 2008 at 5:52 am Jim Good stuff! To help validate my understanding, will you also include the ‘show run interface fa0/6′ on SW2 I know this may seem trivial, but it will complete the config Thx Reply November 19, 2008 at 10:49 pm ram would like to see a diagram with packet flow documenting VLAN getting translated when the packet coming from the promiscuous port to isolated or community ports and similarly packets coming from community ports to promiscous port Reply November 24, 2008 at 7:08 pm Amr elframawy Thank you veryyyyyyyyyyy much realy very useful and great information Amr frmawy CCSP Egypte Reply December 4, 2008 at 4:53 am lancellot thank you very much need to read it couple of more times though, keep up the good work lance CCNA Reply December 28, 2008 at 5:32 am Daniel Kutchin One more thing about protected ports vs private-vlan ports, the protected ports must be on the _SAME_ switch or a switch stack, as well as share the same vlan Therefore, while private vlans function across switches, protected ports must be on the same switch or switch stack for them to be isolated Reply April 6, 2009 at 7:16 am Vivek Umasuthan I think a protected port does not isolate ports on the same VLAN on a different switch It is intended to isolate ports on the same VLAN on the same switch If there are two protected ports on two different switches connected to each other, then they will be able to communicate But a frame received on a protected port will not be forwarded through another protected on the same switch Reply April 10, 2009 at 2:22 pm Ogarcia What about if the connection from SW2 to R6 is a Trunk for several Vlans, how you mange to set this up using Private Vlans and Sub-interfaces? How is the traffic coming from the Secondary Vlans to R6 handled? Reply July 7, 2009 at 11:00 pm Understanding Private VLANs | CCNA 640-802 certification! [ ] http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/ [ ] Reply September 16, 2009 at 7:44 am jerrysimila hi, is it possible to have ACLs that restrict intercommunity communication within the same primary vlan Thanks in advance Reply September 16, 2009 at 11:45 am Petr Lapukhov, CCIE #16379 You may use VLAN ACLs with Private VLANs, OR you may use L3 ACLs on the SVI that uses “local proxy-arp” to route the traffic between the members of private VLNAs Reply October 4, 2009 at 5:48 am Diane Is there a way to use Private VLAN to prevent duplicate IP addresses in a primary VLAN? In other words, can user in one community mistakenly configure an ip assigned for other community and take down services because of duplicate ip address? What’s best way to prevent tis type of outages? Thank you for helping Reply October 4, 2009 at 7:49 am Brian McGahan, CCIE #8593 @Diane Yes it’s still possible, and this can result in the router’s ARP cache being corrupted You can use something like IP Source Guard to prevent this Reply November 9, 2009 at 6:12 pm Mrnal well done Petr very good explanation Reply November 13, 2009 at 9:04 pm Day #4 – CLND + Research « TacAck – My security journey! [ ] some reading on PVLAN’s and finally configured them and got them working Here’s the material i was reading This is [ ] Reply December 9, 2009 at 9:28 am Jason May be worth mentioning, that if you are using an SVI and need IP (L3) communications between two different Communities (under same Primary VLAN) You not only need proxy-arp enabled on the SVI, but also, be sure to enable ip local-proxy-arp under the SVI I couldn’t even ping between communities at first Thought I had a deeper issue with it, then realized ip local-proxy-arp needed to be enabled Until then, the router will receive ARP’s but ignore them Once ip local-proxy-arp is enabled, the router will answer up for ARP requests to other devices in the same Community VLAN Reply December 9, 2009 at 10:52 am Anthony Sequeira, #15626 Awesome stuff Jason Thanks so much for contributing to our blog! Reply December 9, 2009 at 10:31 pm Day #19 – Possibilites « TacAck – My security journey! [ ] which i went through earlier, but i’d forgotten some of the details so i revised it again HERE’s the [ ] Reply December 15, 2009 at 4:41 pm Ashvin Paija Excellent Explanation of Private Vlan!!, I was alwayed confused in PVLAN After reading this blog I,m very much clear about Private VLAN Thanks Petr Lapukhov for brief information about PVLAN Reply Dec ember 16, 2009 at 11:51 pm mostafa I need to implement private vlan solution for the following scenario: Web server vlan e-mail vlan user vlan guest vlan the communication will be as follow: user and guest can access web server vlan user can access e-mail vlan user and guest never access each other what solution could we done for this schema above? Reply January 16, 2010 at 12:59 pm Rizwan Khan Hi, we have private vlans configured on access switches, PRIMARY + ISOLATED only Primary has to be a routed vlan The SVI will be on the aggregation I need to know we need to trunk the isolated vlan between the access switch and aggregation switch? AGGregation will have SVI for primary and mapped to isolated or only trunk primary between access and agg will work? Reply January 20, 2010 at 2:51 pm Mohan Reddy You only trunk Primary VLANs and NEVER secondary VLANs Therefore, ans is yes! make sure your trunk between ACCESS and AGGregation carries the primary VLAN Petr -> very effective writing – thank you! Reply January 28, 2010 at 1:31 am Shiva This explanation is very useful Does the PVLAN works only in VTP-Trans mode ? Reply January 28, 2010 at 6:28 am Anthony Sequeira, #15626 Hi Shiva! If you use VTP Version – I believe you can use Servers The Trans mode is a requirement for VTP versions and for sure Reply February 6, 2010 at 11:18 am josue amaya thanks for this usefull example Petr, Reply February 12, 2010 at 12:47 am Vincent In this sample,Does the community vlan 1012 & community vlan 1034 can ping each other(through promiscuous port or not) on the same IP subnet?? Reply Marc h 8, 2010 at 3:02 am Prashaant Sadeeza Good stuff,easily understandable Reply March 25, 2010 at 7:19 am krishna Good document to refer Reply April 1, 2010 at 1:20 am Rubel i don’t understand how to configure VLAN Reply April 28, 2010 at 6:26 pm shiva very effective way of explanation Reply May 24, 2010 at 11:34 pm prajith thekkoott very usefull article.The way to explain the things was fantastic and any one can find and download its pdf versions… Reply August 26, 2010 at 8:22 am Mohan Reddy Correction to my own comment on January 20th 2010 I would expect that the secondary vlans will also need to be trunked between switches Reply Isolated Communities off to the Prom « Craig Checks Inside of Eyelids CCIE for short September 2, 2010 at 1:19 am [ ] Very good link byb ine on how to this here [ ] Reply September 9, 2010 at 7:03 am Wassim great article! thanks Reply September 29, 2010 at 2:33 am Victor ééàẹẹ! éẹéằéáẹéẵéắéà éắéẹẹẹéẵéàéẵéáéà! éẹ ẹééàéằééằéá ẹéàéẳẹ, ééắẹéắẹéẹ, ééé éẹéééáéằéắ, éắẹéàéẵẹ éãééẹẹééẵéẵéắéạ éắẹéàéẵẹ éẹéắẹẹéắ éĂééẹéáééắ! ééáéẹéắẹ Excellent and thank you! Reply October 4, 2010 at 11:19 am pawan khosla This is what i’m looking for Excellent detail explanation ,although i read the same thing from the cisco press 642-813 book but didn’t understand the concept now i’m confident Thanx !!!!!!!!!!!! Reply October 28, 2010 at 9:12 pm Fadi Ashour Great article I am having an issue understanding why hosts in different community/isolated vlans cannot reach each other even though there is mapping for all of them on the promiscous port Am I missing something?? I thought they can reach each other if they go through L3 device Reply December 1, 2010 at 9:37 am Ian Finlayson Great article as always Petr!!! Is it possible so to define a promisc port that is only visible to certain communities and Isolated VLANs, i.e only add in the relevant mapping on the promisic port for certain secondary VLANs??? On another note before I forget about it I am in about week of your 48 week program – any more updates coming for this at all as its great?? Cheers, Ian Reply December 8, 2010 at 3:37 pm Recurso de INE en "CCIE en castellano" [ ] Understanding Private VLANs [ ] Reply December 9, 2010 at 12:45 pm Sean So when you make a sub-vlan of 1034 are you no longer allowed to use vlan 1034 since the way you configure it is the same… I was thinking for a second that I could use this technology to use this to merge two vlans (like bridge groups) I want vlan 700 and vlan 10 in my situatoin to be the same vlan on a switch (i am doing some vmware stuff and don’t have 100% control of this association) Reply Dec ember 10, 2010 at 11:22 pm CiscoCertified Great man you are the one I was having issue with PVLAN & VACL, now I have issue only with VACL These topics are badly documented in Cisco.com is there any plan for similar articles about VACL?? Thanks again Reply January 8, 2011 at 1:25 am david aladetan this guy (Petr Lapukhov, 4xCCIE/CCDE) is just too much very impressed with your depth of knowledge and excellent explanations of difficult subject Reply January 24, 2011 at 10:03 pm Jamshed Khan Afridi Really great article for understanding Private VLANS Reply January 27, 2011 at 3:08 am Gabriel Bryson HI Petr In the example you gave why was it necessary to create a SVI on both switches, would creating a SVI on only one of the switches be enough as a subnet gateway as all the secondary vlans span both switches within the trunk Thanks Gabriel Bryson Reply September 20, 2011 at 10:28 am Zaheer Peter, Thanks very much for the explaination by example and mentioning it’s link in Vol2 Zaheer Reply September 28, 2011 at 7:08 pm Devin I’m curious if anyone can tell me whether or not Private Vlans can be used with Dynamic Arp Inspection I have a hosting environment where I would like to use Private Vlans to accomplish what was in this post, but I also would like to be able to not have one host take down another host by duplicating its IP address It seems like DAI with arp access-lists will allow me to provide protection Can anyone comment on this? Reply Oc tober 18, 2011 at 12:05 pm Ali Awesome article, thank you so much Reply Leave a Reply Name (required) Mail (will not be published) (required) Submit Comment CCNP Voice Trivia Contest :: CCD Dynamic Routing of DNs (Nice Prizes) http://t.co/McEw Nrmn twitter.com/inetraining Get a FREE Streaming CCNA R&S Exam Course or Dow nload for $99! http://t.co/tQmWMAsY Congratulations to our IEOC Community Winners for October 2011! Alexander Halim, Cristian Matei, JJ@E and NNN! http://t.co/zq0VifOk © 2011 INE, Inc., All Rights Reserved pdfcrowd.com