private vlan Qs.

Answered Question
Feb 6th, 2007

I would like to split out my vlan so that there are 2 groups of hosts that can communicate within the group and with hosts outside the vlan, but not with each other. I think that I need to keep the existing vlan as the primary and create 2 new vlans as secondary community. I need create the appropriate vlan associations and vlan interface mappings, and then assign each switchport to the desired secondary vlan (with host-association command etc). I don't need to re-address any hosts, as they can all stay in the same subnet.

There are 4 switches, running vtp (one server, 3 clients), and one switch connects to a pix firewall.

-Do I require a promiscuous port? Would it be necessary on the pix interface?

-As PVLANS aren't carried in VTP, how can I configure them on VTP clients? Do I have to switch them to transparent?

-Is it correct that hosts from one secondary VLAN could not communicate with hosts from the other secondary VLAN at all? Or will the presence of a layer 3 device mean that traffic is routed? Would I need a VACL to control traffic?

Is there any thing else that I need to consider?

Many thanks, J

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

J

1) You would still need a promiscuous port if you needed hosts within your private vlan to communicate with hosts outside of your private vlan.

If you only had one vlan and just wanted to segregate hosts within that vlan then you could just create your community vlans without a promsicuous port.

If you are using a multilayer switch instead of a pix firewall for the intervlan communication you would generally make the routed SVI the promiscuous port.

2) Not sure i understand what you need here. If you are trying top control how hosts talk to each other within the same vlan then that is what you are doing by using private vlans.

Could you elaborate ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Tue, 02/06/2007 - 08:08

Hi

1) You require a promiscuous port if you want your hosts to be able to communicate with other hosts outside the private vlan. You can only have on promiscuous port. If the routing for your private vlan is being done by the pix then yes the pix interface needs to be the promsicuous port.

2) Yes, you have to manually configure the private vlans on each switch and these switches will need to be in transparent mode.

3) Yes it is true, hosts within one community vlan cannot communicate with hosts in another community vlan within the same private vlan. Traffic will not be routed because the hosts within the community vlans (within the same private vlan) are on the same subnet.

4) Make sure if there are any intermediate switches that you don't have members of your private vlan on that you still configure the private and community vlans which will avoid unnecessary flooding of private vlan traffic.

HTH

Jon

jigsaw2026 Tue, 02/06/2007 - 08:38

Thank you Jon for your reply - very helpful. Just a couple of things I don't understand;

1) If you didn't have a router or pix but had a multilayer switch and routed using interface vlans, would you still need a promiscuous port?

3) Is there any way that you can get the hosts to talk to each other, in a controlled manner, as you would with separate vlans?

Thank you again, J

Correct Answer
Jon Marshall Tue, 02/06/2007 - 10:37

J

1) You would still need a promiscuous port if you needed hosts within your private vlan to communicate with hosts outside of your private vlan.

If you only had one vlan and just wanted to segregate hosts within that vlan then you could just create your community vlans without a promsicuous port.

If you are using a multilayer switch instead of a pix firewall for the intervlan communication you would generally make the routed SVI the promiscuous port.

2) Not sure i understand what you need here. If you are trying top control how hosts talk to each other within the same vlan then that is what you are doing by using private vlans.

Could you elaborate ?

Jon

jigsaw2026 Wed, 02/07/2007 - 02:00

Thank you once again Jon, much appreciated. Yes, I think I was confusing myself on point 2 by over complicating things, please ignore.

ahmedchohan Wed, 02/07/2007 - 04:05

Just to clarify on the prom port. Its a port on the switch. Its a port which allows access to other community vlans. The router, or in your case the pix, would need communication from and to the router and thus the pix gets connected to the prom port

Actions

This Discussion