« No IPv6 for ESM
I love Safari »

PVLAN on a 3550 & 3560

 | 8 Aug 2007 16:14

Amazingly the 3550 doesn’t support PVLAN, the 3560 does. So what are the options?

Catalyst Platform PVLAN Supported Minimum Software Version Isolated VLAN PVLAN Edge (Protected Port) Community VLAN
Catalyst 3550 Not supported Not supported Yes. 12.1(4)EA1 onwards Not supported
Catalyst 3560 12.2(20)SE – EMI Yes Yes. 12.1(19)EA1 onwards. Yes

PVLAN

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

  • Promiscuous – A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
  • Isolated – An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  • Community – A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

Primary and secondary VLANs have these characteristics:

  • Primary VLAN – A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
  • Isolated VLAN – A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.
  • Community VLAN – A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN and multiple community VLANs.

To configure PVLAN:

  1. vtp mode transparent – Set VTP mode to transparent (disable VTP).
  2. vlan vlan-id – Enter VLAN configuration mode and designate or create a VLAN that will be the primary VLAN.
  3. private-vlan primary – Designate the VLAN as the primary VLAN.
  4. vlan vlan-id – (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN.
  5. private-vlan isolated – Designate the VLAN as an isolated VLAN.
  6. vlan vlan-id – (Optional) Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN.
  7. private-vlan community – Designate the VLAN as a community VLAN.
  8. vlan vlan-id – Enter VLAN configuration mode for the primary VLAN designated in Step 1.
  9. private-vlan association [add | remove] secondary_vlan_list – Associate the secondary VLANs with the primary VLAN.

To verify the configuration:

show vlan private-vlan [type]
or
show interfaces status

Isolated VLAN

See PVLAN above.

Isolated VLAN – A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.

PVLAN edge (protected port)

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

Protected ports have these features:

  • A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
  • Forwarding behaviour between a protected port and a nonprotected port proceeds as usual.
  • Protected ports are supported on 802.1Q trunks.

To configure a Protected port:

  1. interface interface-id – Specify the interface to configure, and enter interface configuration mode.
  2. switchport protected – Configure the interface to be a protected port.

To verify the configuration:

show interfaces interface-id switchport

Community VLAN

See PVLAN above.

Community – A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

 Which one to use in the lab?

Brian Jensen gave me this excellent advice on Groupstudy:

When you need to have connectivity between switches then the private vlan is the way to go. Only use protected ports when all affected devices are on a single switch.

Categories: CCIE R&S, Main blog
Comments Off on PVLAN on a 3550 & 3560

No Responses to “PVLAN on a 3550 & 3560”

RSS feed for the comments of this post