Private-vlan and protected ports
Private vlan introduction
If you want to limit the communication among devices under the same subnet you can configure private vlan to achieve this objective.
One private vlan primary can service only one isolated vlan and many community vlans.
There are two types of secondary vlans:
Community vlan can communicate with one another under the same community vlan and can communicate the device via promiscuous port, community vlan however cannot communicate with another isolated vlan and a different community vlan.
Isolated vlan cannot communicate with any device either in the same isolated vlan or other community vlan, it can only communicate with device connected to the promiscuous port.
If you have a router, devices from remote network can enter the isolated vlan via promiscuous port, to prevent remote network from accessing isolated vlans or community vlan you can configure a router acl (standard) either in SVI or router interface as inbound.
To use private-vlan VTP mode must be in transparent.
Private vlan is only supported by 3560, 3750, 4500 and 6500 series.For access class switches such as 2960 protected port is supported.
Protected port is similar to private vlan, but it is a lite version of pvlan.
Configuring private vlan
Scenario: NTP server connected to fa0/1, 4 pcs connected from fa0/2to fa0/4. Pcs can only sync their time with the NTP server but the 4PCs should never communicate with one another. The devices are connected to a Cat3560E multilayer 8-port switch. All these devicesare in the same broadcast domain.
Change VTP to transparent
vtp mode transparent
Create a primary private vlan:
Create secondary private vlan (isolated):
Map isolated vlan with primary vlan
private-vlan association 200
Assign fa0/1 to promiscuous port:
switchport private-vlan mapping 10 200
switchport mode private-vlan promiscuous
Assign fa0/2 to fa0/4 as isolated vlans, and associate isolated vlan to primary vlan.
interface range fa0/2 – 4
switchport mode private-vlan host
switchport private-vlan host-association 10 200
Configuring protected ports
Using the previous objective here’s the steps:
Configure fa0/2 – 4 as protected port
interface range fa0/2 – 4
switchport mode protected
Layer2 frames from protected port to protected port will be discarded; unicast, multcast and broadcast will all be dropped, CDP/LLDP all will be dropped as well.
Protected to unprotected and unprotected to unprotected ports can communicate.
Protected port can only work in a flat network environment, if there’s a router or layer3 device, traffic from protected to protected is possible.