Private Vlan

Sometimes it is necessary to have policy and separate your Vlan like below diagram. In this diagram, WWW and FTP server have communication together, so we put in community. On the other hand, SQL server shouldn't be seen by FTP or WWW server, so, we put on isolated. In fact, there are three types of sub Vlan in Private Vlan:

Promiscuous: can be reached by sub Vlan
Isolated : can not be seen by other Vlans
Community: only can see community member

Imagine we want to make primary vlan for these sub Vlan. We make a Vlan "100" as a primary:

SW# conf t
SW(config)#vtp mode transparent
SW(config)#vlan 100
SW(config-vlan)# private-vlan primary

Then, make sub Vlan for www and FTP as 101 and SQL as 102

SW(config)#vlan 101
SW(config-vlan)# private-vlan community

SW(config)#vlan 102
SW(config-vlan)# private-vlan isolated

After that, we put www, FTP and SQL in primary Vlan:

SW(config)#vlan 100
SW(config-vlan)#private-vlan association 101,102

Next, we assign interface to each Vlan

SW(config)#int fa0/1
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101

SW(config)#int fa0/2
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101

SW(config)#int fa0/3
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 102

SW(config)#int fa0/10
SW(config-if)# switchport mode private-vlan promiscuous
SW(config-if)# switchport private-vlan mapping 100 101,102

To use show command:

SW# show vlan private-vlan

You can also use switchport protected as an alternate

PreviousSTP-PVST-RSTP-MSTP NextVOIP Base

Last updated 3 years ago