Thursday, December 22, 2011

Private VLAN

Private VLAN is the technique of dividing single VLAN into different sub VLANs. This is generally used in the ADSL networks. Also, we can use it to simplify the IP address assignment because all ports are in the same subnet, although they are logically separated in the data link layer.

Private VLAN contains two components

  1. Primary VLAN, which is the real VLAN
  2. Secondary VLANs, which are the sub VLANs

Secondary VLANs can be one of these:

    • Isolated
      • Ports associated with this VLAN cannot communicate each other
      • Ports associated with this VLAN cannot communicate with any other private VLAN
      • Ports associated with this VLAN can communicate only with Primary VLAN
    • Community
      • Ports associated with this VLAN can communicate each other
      • Ports associated with this VLAN cannot communicate with any other private VLAN
      • Ports associated with this VLAN can communicate only with Primary VLAN

Now lets, Create these VLANs as in the figureprivate vlan

Creating Community VLANs

Sw1(config)# vlan 100

Sw1(config-vlan)#private-vlan community

Sw1(config)# vlan 200

Sw1(config-vlan)#private-vlan community

Creating isolated VLAN

Sw1(config)# vlan 300

Sw1(config-vlan)#private-vlan isolated

Creating primary VLAN and joining it with primary VLAN

Sw1(config)# vlan 500

Sw1(config-vlan)#private-vlan primary

Sw1(config-vlan)#private-vlan association 100,200,300

To proceed to next step, we must understand about different types of ports

There are mainly two types of port in Private VLAN - Promiscuous port and Host port. Host port is further divides into two types - Isolated port and Community port.

  • Promiscuous port : This port can communicate with anything connected to primary or secondary VLANs. Usually, router, firewall etc. are connect to this port
  • Isolated port: This port connect to hosts within the isolated VLAN. It can only communicate with the promiscuous port
  • Community port :  This port connect to hosts within the community VLAN. It can communicate with promiscuous port and other ports in the same community VLAN

Now, lets assign these different types of port to different VLANs we created. Remember, every ports except Promiscuous port are host port. So the VLAN which we assign these ports determines whether it is isolated port or community port.

SW1(config)#int range e0/1 - 2
SW1(config-if-range)#switchport
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 500 300

SW1(config)#int range e1/0 - 1
SW1(config-if-range)#switchport
SW1(config-if-range)#switchport private-vlan host-association 500 100

SW1(config)#int range e1/2 - 3
SW1(config-if-range)#switchport
SW1(config-if-range)#switchport private-vlan host-association 500 200

SW1(config)#int e0/0
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 100,200,300

at 3:16 PM
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)