PVLAN configuration

Private VLAN – PVLAN configuration needs to be started by defining any secondary VLANs that are needed for isolation. Secondary VLAN  can be isolated or community VLAN.

Switch(config)# vlan 4
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 5
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 6
Switch(config-vlan)# private-vlan isolated

private VLAN - PVLAN configure

Remember:

  • Isolated VLAN – no connectivity between isolated ports
  • Community VLAN – connectivity between member ports

Now we make the primary VLAN

Switch(config)# vlan 10
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 4,5,6
Switch(config-vlan)# exit

We need to associate the primary VLAN with secondary VLANs. The association command will do that for us like we see in the commands up here.

We have basically done something that is called unidirectional connectivity from the secondary VLANs to the primary VLAN. Now we need to tell the switch which ports will be added to respective private VLANs.

Switch(config)# interface fastethernet 0/1
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 4
Switch(config)# interface fastethernet 0/2
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 5
Switch(config)# interface fastethernet 0/3
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 6

In the commands up here we have defined the function of the port that can be host or promiscuous. Usually if we are configuring the port that will have router, firewall, or common gateway plugged in the function of the port is promiscuous, but we will do that later.  In all other cases every isolated or community port must be configured with host keyword and that is what we have done in the upper example. For the ports like that, that are not promiscuous, you must associate the ports with the appropriate primary and secondary VLANs. So the next thing that you see in the upper example is host-association command. We have configured private VLANs and the way this ports will interact with the various VLANs. In other words, we have inserted the ports into secondary private VLANs and then defined the manner in which they will be associated with primary VLAN.

Now the primary VLAN. We are defining that the fa2/1 port on the switch is promiscuous port. This will allow hosts from all other promiscuous, isolated, or community ports associated with the primary VLAN to reach the router. And then we made a mapping of primary VLAN 10 and all the secondary VLANs 4,5,6 that are under VLAN 10. It is done to let the switch know what is the interrelationship between the VLANs.

Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 10 4,5,6

More about PVLANs in the article: PVLAN – Private VLANs

The whole config in one place:

Cisco configuration

Switch(config)# vlan 4
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 5
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 6
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 4,5,6
Switch(config-vlan)# exit
Switch(config)# interface fastethernet 0/1
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 4
Switch(config)# interface fastethernet 0/2
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 5
Switch(config)# interface fastethernet 0/3
Switch(config)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 10 6
Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 10 4,5,6

 

Leave a Reply