Private VLANs

VLAN within a VLAN

Primary VLAN contains the IP Subnet, secondary VLANs are used to isolate devices.

Secondary VLAN Types:

• Isolated - can only have one. All devices are isolated from each other.
• Community - devices can reach other devices within the same community, but are isolated from devices not in the same community.

Port types:

• Isolated - all devices in the isolated VLAN can’t access each other.
• Community - all devices in the same community VLAN can access each other.
• Promiscuous - can be accessed from isolated/community ports, used as the gateway for devices.

Not supported in VTP Client/Server mode, needs to be transparent

vtp mode transparent

Create the private community VLANs

vlan 201
  private-vlan community
	
vlan 202
  private-vlan community

Create the isolated VLAN

vlan 299
  private-vlan isolated

Create the primary VLAN and associate the private VLANs

vlan 200
  private-vlan primary
  private-vlan association 201,202,299

Configure the gateway interface

int Gi1/0/1
  Description UPLINK_TO_ROUTER
  switchport mode private-vlan promiscuous 
  switchport private-vlan mapping 200 201,202,299

Configure the client interfaces

int range fa1/0/1-10
  Description COMMUNITY_1
  switchport private-vlan host
  switchport private-vlan host-association 200 201
	
int range fa1/0/11-20
  Description COMMUNITY_2
  switchport private-vlan host
  switchport private-vlan host-association 200 202
	
int range fa1/0/21-30
  Description ISOLATED
  switchport private-vlan host
  switchport private-vlan host-association 200 299

show vlan private-vlan