Private VLANs span multiple switches

From the Cisco Learning network SWITCH practice questions

10.
How can private VLANs span multiple switches?

Because switches must be in VTP transparent mode, private VLANs cannot span several switches.

The command switchport trunk allow private-vlan must be entered on both ends of the interswitch trunk.

A private VLAN trunk can be created on interswitch links.

A primary VLAN can be created across several switches, but isolated and community VLANs are local.

I cannot find answers or reasoning why C would be correct. What would interswitch links mean, trunking with ISL encapsulation? Anybody got an idea about this?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Fitzi

I think what they are saying here is that you can tag a private vlan on the trunk port to span it between switches (much the same as a regular vlan), for me an interswitch link is an uplink between two switches.

There is a good vlecture on youtube by Marco Milivojevic from when he was at ipexpert that explains private vlans and also goes into some detail about how they work when spanned between switches:
https://www.youtube.com/watch?v=mGblyTKAGIk

lrb

If you are trunking between two switches which support PVLAN, the trunk is just a plain old configured trunk between two switches (i.e. switchport mode trunk)

If you are trunking between two switches where only one switch supports PVLAN you can use a private VLAN trunk using the switchport mode private-vlan trunk command to kind of "hack around" by making one the switch that doesn't support PVLAN simply thinks it is sending tagged traffic on a regular old trunk but the switch that does support PVLAN knows how to associate the traffic correctly.

tomtom1

So.. If we assume that interswitch link means a connection between 2 switches, C would be the logicial choice assuming that both switches are PVLAN understanding. We can just use a normal 802.1q trunk. I think the interswitch link part got me a bit too, seeing as it also is an encapsulating trunk protocol.

Thanks for your replies gents! And @lrb: I hope to one day join you in achieving CCIE!

TWX

I know I'm digging up an older topic here. So far I've tried on both a 3750ME and on a 3560G the "switchport mode private-vlan trunk" and neither switch has this capability.

Is one required to use an L3 switch in ip routing to route traffic from the primary VLAN out to a different L2 broadcast domain? I was hoping that some kind of private vlan boundary could be set on the switch to allow me to have both the primary private VLAN and regular VLANs cross the trunk to the other side, but when I've tested with just conventional switchport mode trunk then the nonpromiscuous interfaces can't get their traffic out. The promiscuous port can though.

I suppose I could set up a layer 3 link to my router, but then I'm effectively offloading campus routing to a different device while WAN or Internet routing remains on the original router.