Private vlan configuration

 Allow us to permit and deny the access from ports and we using one subnet for all
vlans
 In private vlan we just create a primary vlan
 And primary vlan we add different sub vlan
 These vlan is isolated with each other
 One subnet for all vlans

3 different kind of sub vlan

 Promiscuous
 Isolated
 Community
 Isolated:- vlan that cannot communicate with any vlans else they only reach
promiscuous(router) port to access the internet
 Promiscuous:- it can be reach with in private vlan and internet
 Community:-community port can reach other thing with their community. They are
communicate with each other in a same Community and able to reach promiscuous
port to get out the internet

All Rights Reserved. ©Best Cisco CCNA CCNP and Linux Notes
www.ccnaccnplinux.com®
 Private-vlan configuration
 Switch(config)#vtp mode transparent
 Private vlan only be configured on transparent mode

Firstly we will configure primary VLAN configuration

 Switch(config)#vlan 100
 Switch(config-vlan)#private-vlan primary (our primay Vlans for association)
 Switch(config-vlan)#exit

 Switch(config)#vlan 110
 Switch(config-vlan)#private-vlan community {communicating in same vlan 110 and
internet}
 Switch(config-vlan)#exit

 Switch(config)#vlan 120
 Switch(config-vlan)#private-vlan isolated {communicate with gateway as
well as internet}
 Switch(config-vlan)#exit

 Switch(config)#vlan 130
 Switch(config-vlan)#private-vlan community (communicating with same vlan
130 and internet)
 Switch(config-vlan)#exit

Now associate sub vlan to a primary vlan

 Switch(config)#vlan 100
 Switch(config-vlan)#private-vlan association 110,120,130
 Switch(config-vlan)#exit

Now Associate the Port to VLAN

 Switch(config)#interface range fastethernet 1/0 -1
 Switch(config-if-range)#description CONNECTED WITH PC1 AND PC2
 Switch(config-if-range)#switchport mode private-vlan host (connected with PC)
 Switch(config-if-range)#switchport private-vlan host-association 100 110 {First
primary vlan then followed by secondary vlans 110}
 Switch(config-if-range)#exit

 Switch(config)#interface fastethernet 1/3

 Switch(config-if)#description CONNECTED WITH PC4
 Switch(config-if)#switchport mode private-vlan host

All Rights Reserved. ©Best Cisco CCNA CCNP and Linux Notes
www.ccnaccnplinux.com®
  Switch(config-if)#switchport private-vlan host-association 100 120 {First
primary vlan then followed by secondary vlans 120}
 Switch(config-if)#exit

 Switch(config)#interface fastethernet 1/2

 Switch(config-if)#description CONNECTED WITH PC3
 Switch(config-if)#switchport mode private-vlan host
 Switch(config-if)#switchport private-vlan host-association 100 130 {First
primary vlan then followed by secondary vlans 130}
 Switch(config-if)#exit

Now we will configure the Promiscuous Port

Implementing The Private-Vlans Switch Port

 Switch(config)#interface ethernet 0/0
 Switch(config-if)#description CONNECTED WITH ROUTER
 Switch(config-if)#switchport mode private-vlan promiscuous reach everywhere
 Switch(config-if)#switchport private-vlan mapping 100 110,120,130 {First primary
vlan then followed by secondary vlans}
 Switch(config-if)#exit

 R1(config)#interface fastEthernet 0/0

 R1(config-if)#description CONNECTED WITH SWITCH
 R1(config-if)#ip address 192.168.2.1 255.255.255.0
 R1(config-if)#no shut
 R1(config-if)#exit

Now test using PC1 PC2 PC3 and PC4

Ping PC1 toPC2 :- successfully

Ping PC2 to PC1 :- successfully

Ping PC1 to PC3 :- denied

Ping PC2 to PC4 :- denied

Then ping default gateway from all pc : - successfully ping

All Rights Reserved. ©Best Cisco CCNA CCNP and Linux Notes
www.ccnaccnplinux.com®