Private VLANs

Share this page:

*REQUIRES VTP MODE to be set to TRANSPARENT!!!

This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50 <—map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <— Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40

** #show vlan private-vlan**
**Primary Secondary Type              Ports**
**-—— ——— —————– ——————————————**
**10      20        community   Et0/2**
**10      30        community   Et0/0**
**10      40        isolated            Et0/0**

Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!

• ← Previous
Next →