Security: Private vlan example

Vlan 100 is a community vlan, hosts within vlan 100 can communicate with one another. Vlan 200 is an isolated vlan, hosts within vlan 200 are not allowed to communicate with one another.

Private vlan

1. Before you start make sure the vtp mode is set to transparent.

2. The difference between private vlan and protected port is protected port is localized within the switch itself, but private vlan can propagate among switches.

3. Private vlan consists of primary vlan and secondary vlan.

4. There are two types of secondary vlans namely isolated and community.

5. Hosts within the same community vlan can communicate with one another. Host within the community vlan cannot communicate with hosts from a different community and hosts from isolated vlan.

6. Hosts within isolated vlan cannot communicate among themselves.

7. Promiscuous port is the port that can access to community and isolated ports.

8. Community and isolated vlans do not have an instance for spanning-tree.

Step by Step

Step 1:Change vtp mode to transparent.

3560-2(config)#vtp mode transparent

Step1.1:Define your vlans.

3560-2(config)#vlan 99

3560-2(config-vlan)#name pri-vlan

3560-2(config)#vlan 100
3560-2(config-vlan)#name comm-vlan
3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#name isolated-vlan

Step 2:Define your secondary vlans.

3560-2(config-vlan)#vlan 100
3560-2(config-vlan)#private-vlan community

3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#private-vlan isolated

Step 3:Define your primary vlan and associate secondary vlans into this.

3560-2(config-vlan)#vlan 99
3560-2(config-vlan)#private-vlan primary
3560-2(config-vlan)#private-vlan association 100,200

Step 4:Define your port roles based on the above diagram.

3560-2(config)#int fa0/1
3560-2(config-if)#switchport mode private-vlan promiscuous
3560-2(config-if)#switchport private-vlan mapping 99 100,200

3560-2(config)#int range fa0/10 – 11
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 100

3560-2(config)#int range fa0/20 – 21
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 200

Check the vlan roles.

3560-2#sh vlan private-vlan

Primary Secondary Type              Ports
——- ——— —————– ——————————————
99      100       community         Fa0/1, Fa0/10, Fa0/11
99      200       isolated          Fa0/1, Fa0/20, Fa0/21

Advertisements
This entry was posted in Security, Switch, Vlan and tagged , , . Bookmark the permalink.

3 Responses to Security: Private vlan example

  1. Ahmed Abdallah says:

    i can’t make this configuration in packet tracer – switch 3560

    • cyruslab says:

      Packet tracer has limited commands, not all commands are present in this software, you need a real switch to help you practise. Or you can find rack rental from IPExpert or other vendors.

  2. same problem i got when accesing switch 2960 in Packet tracer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s