Private VLANs: VLAN & Switchport Configuration to Layer-3 Connectivity

In this article we will take a look at what is required to configure private VLANs on Cisco equipment. But firstly we need to be clear about what VLAN and private VLAN are.

A Virtual Local Area Network, or VLAN, provides the ability to logically separate a LAN the same way that would be possible with multiple physical switches. For example, if an engineer had four different physical switches, each of the switches could be connected to separate departments within a company. Without an interconnection or a routing device, the devices within each department would not be able to send traffic to each other and would typically be put into different subnets. A VLAN takes this ability to separate devices, but does it logically instead of physically; a separate VLAN can be created for each department and the physical ports that connect these devices can be configured into the correct VLAN. It is important to keep in mind however that the same rules apply to VLANs as physical LANs; that is in order to communicate between them a routing device is required and separate subnets should be assigned to the devices in each VLAN.

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

Configuration Basics

The first thing that needs to be reviewed is how the concepts of primary, community and isolated VLANs translate to a physical implementation of private VLANs. Switchports that are going to be used by the private VLAN feature are separated into three different categories: Promiscuous, Community, and Isolated. A promiscuous switchport is able to see the traffic from all other promiscuous switchports as well as all secondary switchport types (community and isolated). If the reader has just come from the private VLANs concepts article, the switchports assigned as promiscuous exist within the primary VLAN and map to the secondary VLANs.

VLAN Configuration

The first phase in private VLAN configuration is to set up the VLANs that will be used and assign them to a specific type. It is important to note that one caveat to using the private VLAN feature is it is not compatible with the Virtual Trunking Protocol (VTP); due to this the first thing that must be done is to configure the switch into VTP transparent mode.

Enter privileged mode.	router>enable
Enter global configuration mode	router#configure terminal
Configure VTP Transparent Mode.	router(config)#vtp mode transparent

The next step is to configure the VLANs as specific private VLAN types.

Enter VLAN configuration mode for the secondary VLAN.	router(config)#vlan vlan-id
Configure the VLAN as a private secondary VLAN.	router(config-vlan)#private-vlan [isolated |community]
Enter VLAN configuration mode for the primary VLAN.	router(config-vlan)#vlan vlan-id
Configure the VLAN as a primary VLAN.	router(config-vlan)#private-vlan primary

Once all of the VLANs have been configured, the primary and secondary VLANs must be associated together.

Associate the primary VLAN with secondary VLANs. The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.

router(config-vlan)#private-vlan association [add |remove] secondary-vlan-list

Switchport Configuration

The second phase involves the configuration of the physical switchports, what type of privateVLAN they are and how they are associated with the VLANs. This article will show the configuration of the switchports assigned to the secondary private VLANs first.

The first thing to do is to configure the switchport as a host (this includes community and isolated switchports).

Enter interface configuration mode.	router(config-vlan)#interface interface-id
Configure the interface as a host interface.	router(config-if)#switchport mode private-vlan host

The next thing to do is associate the switchport with the primary and secondary VLANs that were configured in the previous section.

Associate the interface with a primary and secondary VLAN

router(config-if)#switchport private-vlan host-association primary-vlan secondary-vlan

The configuration of the switchports in the primary VLAN now has to be completed.

Enter interface configuration mode.	router(config-if)#interface interface-id
Configure the interface as a promiscuous interface	router(config-if)#switchport mode private-vlan promiscuous

This switchport then has to be mapped to all of the associated primary and secondary VLANs.

Associate the interface with a primary VLAN and all secondary VLANs The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.

router(config-if)#switchport private-mode mappingprimary-vlan {add | remove} secondary-vlan-list

This completes the layer-2 configuration of private VLANs; if only layer-2 connectivity is required then the next section is not required.

Layer-3 Connectivity

As with a normal VLAN, private VLANs will only allow communications within the configured VLANs (according to the private VLAN rules), but to speak to devices outside this VLAN structure a layer-3 device is required. In many situations, this layer-3 functionality is also provided by the switch (assuming this is a layer-3 capable switch). This section shows the additional configuration that is required to have the switch provide layer-3 functionality to the switchports configured with theprivate VLAN feature.

This additional configuration is simple and just adds a single configuration command to the primary VLAN interface.

Enter VLAN (SVI) interface configuration mode.	router(config)#interface vlan primary-vlan-id
Associate the secondary VLANs with the SVI. The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.	router(config-if)#private-vlan mapping {add | remove}secondary-vlan-list

Once an engineer has a firm understanding of private VLAN concepts it is rather simple to translate this understanding to the configuration portion of private VLANs. There are a number of different applications for the private VLAN feature that an engineer can take advantage of, and hopefully these two articles will make it easier to understand how they can be put to use.

More Network and Cisco Tips:

How Private VLANs Work?

Types of VLANs

VLAN Switch Port Modes

‘What Happens in the VLAN Stays in theVLAN?’

How to Configure Private VLANs on Cisco3560 Switches?