Prerequisite – Virtual LAN (VLAN)
Virtual LAN (VLAN) is used to break a broadcast domain into smaller domain at layer 2. Only (all) hosts belonging to same VLAN are able to communicate with each other while communicating with other VLAN hosts, Inter Vlan routing is done. But in same VLAN, if we want some hosts should not be able to communicate with other hosts (in the same VLAN) at layer 2 level then VLAN access-list or concept of private VLAN is used.
Private VLAN –
Private VLAN are used to break the layer 2 broadcast domain into small subdomains. A subdomain consists of one primary VLAN and one or more secondary VLAN.
Types of VLANs –
There are two types of VLANs in Private VLANs:
- Primary VLAN –
All the ports in the private VLAN belong to a primary VLAN. A private VLAN can have only one primary VLAN. All the VLANs in a private VLAN domain share the same primary VLAN.
- Secondary VLAN –
A private VLAN can have one or more secondary VLANs. It provides isolation between the ports belonging to same private VLAN domain.
These are of two types:
- Isolated VLANs –
Hosts belonging to Isolated VLAN can only communicate with its associated promiscuous port and cannot communicate directly with other hosts (belonging to other isolated or community VLAN) directly at layer 2. Usually, a single port is assigned to Isolated VLANs but you can have more than one port associated to it.
- Community VLANs –
A private VLAN can have one or more than one community VLANs. Hosts belonging to the same community VLANs can communicate with each other and its associated promiscuous port but hosts belonging to different community VLANs cannot communicate with each other at layer 2.
- Isolated VLANs –
Types of ports –
Types of ports in A Private VLAN are:
- Promiscuous port –
It belongs to the primary VLAN. These ports can communicate with all interfaces, that are a part of secondary VLANs associated with that promiscuous port and that primary VLAN. Generally, it is used for connecting switches with routers, Firewalls etc.
- Isolated port –
An isolated port belongs to a secondary isolated VLAN. These are the host ports whose traffic is forwarded to the promiscuous port. A private VLAN allows only that traffic to the isolated port which is coming from its associated promiscuous port.
- Community port –
This port belongs to a secondary community VLAN. These host ports can communicate with other ports in the same community VLAN and also with its associated promiscuous port. These ports are completely isolated from other community VLAN ports and isolated ports.
VTP (VLAN Trunking Protocol) should be operating in mode transparent or off in order to configure private VLANs.
Here is a topology in which Router1 (IP address- 192.168.1.1/24), PC1(IP address- 192.168.1.10/24 ), PC2(IP address- 192.168.1.20/24 ), PC3 (IP address- 192.168.1.30/24) and switch are connected to each other as shown in the figure.
In this task, we will assign VLAN 10 to fa0/1, fa0/2, and VLAN 20 to fa0/3 and fa0/0 as VLAN 100. Then, we will make VLAN 10 as community VLAN, VLAN 20 as isolated VLAN and VLAN 100 as primary VLAN.
Configuring Private VLAN on switch:
switch(config)#vlan 10 switch(config-vlan)#private-vlan community switch(config-vlan)#exit
Here, we have created VLAN 10 and configured it as community VLAN. Now, configuring isolated VLAN.
switch(config)#vlan 20 switch(config-vlan)#private-vlan isolated switch(config-vlan)#exit
Now, creating vlan 100 and configuring it as primary VLAN and associating secondary vlan 10, 20 to it.
switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#private-vlan association 10, 20 switch(config-vlan)#exit
Now, configuring ports as private-vlan host port and associating them with primary and secondary VLAN. First configuring fa0/1 and fa0/2 and associating vlan 10 (secondary VLAN) with its primary VLAN (vlan 100).
switch(config)#int range fa0/1-2 switch(config-vlan)#switchport mode private-vlan host switch(config-vlan)#switchport Private-vlan host-association 100 10
Now, configuring fa0/3 and associating vlan 20 (secondary VLAN) with its primary VLAN (vlan 100).
switch(config)#int fa0/3 switch(config-vlan)#switchport mode private-vlan host switch(config-vlan)#switchport Private-vlan host-association 100 20
Now, at last we will configure interface fa0/0 as promiscuous port and associate the port with primary vlan (vlan 100) and secondary VLAN (vlan 10, 20).
switch(config)#int fa0/0 switch(config-vlan)#switchport mode private-vlan promiscuous switch(config-vlan)#switchport Private-vlan mapping 100 10, 20
We can verify the ports associated with secondary VLANs by command.
switch#show vlan private-vlan
If you want to verify the primary VLAN and secondary VLAN (Isolated or Community) then use the command.
switch# show vlan private-vlan type