PVLAN Question

I have a question for anyone who knows and understand pvlans.

In my company, I have been tasked with creating a pvlan in an existing network with multiple 802.1q VLANs. I have done a lot of reading, but nothing answers this one question:

I need to be able to create a pvlan community so that this one vlan is isolated from the rest of the VLANs. The main focus is that I need to ensure I do not disrupt communications on the rest of the network. So how would I go about creating this pvlan if I have a setup similar to the following without disrupting network communications:

Catalyst 4006 series Switche
CatOS (don't recall which version)

Existing VLANs:
16, 17, 18, 21 <-- All can communicate with each other

Trunk is on port 1/2

Need to add pvlan 24 <-- No communication with other VLANs, only the DG and other computers in the same vlan.

What I think I need to do is to create a primary VLAN, lets say 50. Create pvlan 24 as a community pvlan, Associate PVLAN 24 to vlan 50 and add port 1/2 to pvlan 50 as a promiscious port. Does this sound right, or am I missing something?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mikearama

Your solution is exactly right...

A sub-vlan (24) that is private (community):
Switch(config)#vlan 24
Switch(config-vlan)#private-vlan community

A primary vlan (50). Associate the private vlan to it.
Switch(config)#vlan 50
Switch(config-vlan)#private-vlan association 24

Then assign a promiscuous port... the one leading to your router:
Switch(config)#int f0/12
Switch(config-if)#switchport mode private-vlan 24 promiscuous

All other ports belonging to the private vlan get the same command... just "host" at the end instead of promiscuous.

Hey, I learned something neat from the Bryant BCMSN kit... private vlans require Transparent mode. So if you're running VTP, you've got to switch it to Transparent to use private vlans.

Mike

tech-airman

cr33p wrote:

I have a question for anyone who knows and understand pvlans.

In my company, I have been tasked with creating a pvlan in an existing network with multiple 802.1q VLANs. I have done a lot of reading, but nothing answers this one question:

I need to be able to create a pvlan community so that this one vlan is isolated from the rest of the VLANs. The main focus is that I need to ensure I do not disrupt communications on the rest of the network. So how would I go about creating this pvlan if I have a setup similar to the following without disrupting network communications:

Catalyst 4006 series Switche
CatOS (don't recall which version)

Existing VLANs:
16, 17, 18, 21 <-- All can communicate with each other

Trunk is on port 1/2

Need to add pvlan 24 <-- No communication with other VLANs, only the DG and other computers in the same vlan.

What I think I need to do is to create a primary VLAN, lets say 50. Create pvlan 24 as a community pvlan, Associate PVLAN 24 to vlan 50 and add port 1/2 to pvlan 50 as a promiscious port. Does this sound right, or am I missing something?

cr33p,

Find out which CatOS version you have and post back.

dtlokee

I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN. You are trying to prevent one VLAN from communicating with another VLAN at a L3 device which is a case for access-lists or VLAN maps. If you create VLAN 24 as a private VLAN (community or otherwise) and the trunk as community,all the hosts can communicate with the router (or other L3 device) then the L3 device will route the packets.

mikearama

Interesting comment, dt... I may have misunderstood the definition/application of a community private vlan then.

I understood that they inherently (when community) allowed connectivity to hosts in the same vlan, but not to anyone outside of their vlan (except the promiscuous port).

You are correct that an acl on the router could do the same.

You mentioned that:
"I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN."

That is the definition, I believe, of an isolated private-vlan. A community private-vlan should do what cr33p needs, don't ya think?

dtlokee

The community PVLAN will still allow all the hosts to communicate with the promisciuos port (the router) which will then just route the packets onto the other VLANs defeating the intended goal.

cr33p

dtlokee wrote:

I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN. You are trying to prevent one VLAN from communicating with another VLAN at a L3 device which is a case for access-lists or VLAN maps. If you create VLAN 24 as a private VLAN (community or otherwise) and the trunk as community,all the hosts can communicate with the router (or other L3 device) then the L3 device will route the packets.

Very good point... I didn't think of this. I was under the assumption that being private would prevent it from communicating with the other vlans. I didn't take the L3 aspect of it into account. I wish I had hardware to do a test network, but alas, I am too poor to afford all that...

If this should have an ACL, then what should it block? Now I think it gets tricky because of the way our network is set up. Let me explain:

VLANs 16 and 17 both connect to the same Cisco router (router on a stick).
VLANs 18 and 21 connect to an L3 Procurve switch for routing (basically router on a stick again).
VLAN 24, the one I need isolated, routes via the L3 Procurve switch.

The router before the firewall that goes to the internet is x.x.16.1. How would I prevent communication from VLAN 24 to the rest of the x.x.16.x network, as well as the other VLANs, and still be able to get to the internet (x.x.16.1)? This is a logical overview:

         x.x.16.1          x.x.21.1     (access switchs)
        (x.x.17.1)        x.x.18.1     (VLAN's 16,17,18,21,24)
                          x.x.24.1        
FW <---- R ----------- L3SW ---------- SW--SW--SW

networker050184

I think a VLAN maps are your best bet in this situation. You can keep all other traffic off VLAN 24 and keep VLAN 24 traffic off your other VLANs also.