PVLAN Configuration

Posted on June 10th, 2009 by hengdu

Design wise, we may need divide one single VLAN (Broadcast Domain) to several sub-VLANs. That’s how PVLAN technology comes. Cisco 3550 doesn’t support this feature, but Cisco 3560 does. The detailed documentation is in here. This article focus on generic PVLAN configuration.

The requirement may be like this. On VLAN 100, there are 6 hosts. Host 1 and Host 2 can talk to each other. Host 3 and Host 4 can talke to each other. All four hosts cannot directly talk to host 5 in the layer 2. All 5 hosts can talk to Host 0 connected interface fa0/1.

First before first, VTP mode has to be transperant mode.

!
vtp mode transperant
!

First, we need to assign PVLAN type for each VLAN and sub-VLAN. There are three types: Primary, Community and Isolated.

vlan 100
private-vlan primary
private-vlan association 1000 1100 1200
!
vlan 1000
private-vlan community
!
vlan 1100
private-vlan community
!
vlan 1200
private-vlan isolated

Second, we need to vlan and port (physical interface) relationship. Normally, port will be promiscuous mode with primary VLAN. Also, this port should map primary VLAN to sub-VLANs. Otherwise, port will be host mode with host-association primary VLAN and sub-VLANs.

interface fa0/1
switchport private-vlan mapping 100 1000 1100 1200
switchport private-vlan mode promiscuous
!
!Connect to Host 1
!
interface fa0/2
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
!Connect to Host 2
!
interface fa0/3
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
!Connect to Host 3
!
interface fa0/4
switchport private-vlan host-association 100 1100
switchport mode private-vlan host
!
!Connect to Host 4
!
interface fa0/5
switchport private-vlan host-association 100 1100
switchport mode private-vlan host
!
!Connect to Host 5
!
interface fa0/6
switchport private-vlan host-association 100 1200
switchport mode private-vlan host
!

Also, some caveats should be noted

  • The VLAN database mode configuration is not support for Private VLAN.
  • Private VLAN is not propagated via VTP.
  • Isolated and community VLAN do not run their own instance of spanning tree. Tunning spanning tree has to be applied to Primary VLAN.
  • Private VLAN is broadcast restriction on Layer 2. There are still be able to communicate on Layer 3 if routed.

Tags: Networks, Switching // Add Comment »

Discussion Area - Leave a Comment




Anti-Spam Protection by WP-SpamFree

« »