The number of isolated vlan in private vlan

Answered Question
Feb 4th, 2009

Hi every body!

I was reading about isolated vlan in cisco book.That is what the cisco book says:

"Only one isolated VLAN can be mapped to a primary VLAN, but multiple community VLANs can be mapped to a primary VLAN."

My question is does it mean there could maximum one isolated vlan private vlan in a vlan? If there can be more than one, then how will the communication occur between two isolated private vlans in a vlan as one one isolated vlan is mapped to primary vlan?

thanks a lot and have a nice day!

Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello Jon,

thanks for your correction

let's give Sarah good information.

It is the opposite of what I have understood/remembered:

instead of having all isolated ports in many single isolated secondary vlans you can have multiple ports all belonging to the same isolated secondary vlan.

This allows for an implementation without wasting vlans numbers

Sarah: sorry for having given you a wrong information your questions are becoming difficult to answer :)

Thanks

Giuseppe

Correct Answer by Jon Marshall about 8 years 1 week ago

Sarah

Firstly good luck with your exam.

Secondly all the docs i have read suggest that you can only have one isolated vlan per primary vlan domain. See this 6500 configuration doc as an example -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1144524

I've just moved house so haven't set lab back up yet so can't test.

Jon

Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello Sarah,

the SVI is a special case and hasn't got a physical interface

according to my old book the following is enough:

vlan 40

private-vlan isolated

vlan 50

private-vlan community

vlan 200

private-vlan primary

private-vlan association 40,50

interface vlan 200

ip address 192.168.199.1 255.255.255.0

this is taken from BCMSN second edition

David Hucaby

Copyright © 2004 Cisco Systems, Inc.

ISBN: 1-58720-077-5

I used first and second edition of this book and I've found them accurate.

I think there is at least a third edition on cisco press

the current edition is 4th:

* By Richard Froom, Balaji Sivasubramanian, Erum Frahim.

* Published by Cisco Press.

* Series: Self-Study Guide.

Save to My Wish ListSave to My Wish List

ISBN-10: 1-58705-273-3

but the authors have changed

Hope to help

Giuseppe

Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello Sarah,

yes you can map multiple different secondary vlans of type isolated to the same primary vlan.

I remember the examples in BCMSN second edition about this.

I did some basic testing on private vlans and I don't remember this kind of limitation.

private vlans have been thought to limit connectivity within a single ip subnet:

instead of using multiple /30 subnets you can place servers in a single subnet but you can make them to talk only with the default gateway.

This can be useful for providers offering server hosting services: instead of wasting precious public ip addresses (one for base subnet and one for broadcast you use 4 addresses for a /30) it is more convenient to use pvlans.

Pvlans as a mean to avoid ARP attacks, man in the middle are now less used. For this DAI, IP source guard and DHCP snooping are preferred.

Hope to help

Giuseppe

Correct Answer by Giuseppe Larosa about 8 years 1 week ago

Hello Sarah,

only one switch port can be associated to a secondary vlan of type isolated but you can have multiple (different) isolated vlans mapped to the same primary vlan.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
Giuseppe Larosa Thu, 02/05/2009 - 06:25

Hello Sarah,

only one switch port can be associated to a secondary vlan of type isolated but you can have multiple (different) isolated vlans mapped to the same primary vlan.

Hope to help

Giuseppe

sarahr202 Fri, 02/06/2009 - 15:27

Thanks a lot Giuseppe!

Based on your reply, the book is wrong which says only one isolated vlan(secondary) can be mapped to primary vlan.

I just want to confirm if u nderstand you right.

We can map multiple isolated vlans to same primary vlan. Am i correct Giuseppe?

thanks a lot!

Correct Answer
Giuseppe Larosa Sat, 02/07/2009 - 00:22

Hello Sarah,

yes you can map multiple different secondary vlans of type isolated to the same primary vlan.

I remember the examples in BCMSN second edition about this.

I did some basic testing on private vlans and I don't remember this kind of limitation.

private vlans have been thought to limit connectivity within a single ip subnet:

instead of using multiple /30 subnets you can place servers in a single subnet but you can make them to talk only with the default gateway.

This can be useful for providers offering server hosting services: instead of wasting precious public ip addresses (one for base subnet and one for broadcast you use 4 addresses for a /30) it is more convenient to use pvlans.

Pvlans as a mean to avoid ARP attacks, man in the middle are now less used. For this DAI, IP source guard and DHCP snooping are preferred.

Hope to help

Giuseppe

sarahr202 Sun, 02/08/2009 - 14:10

Thanks a lot Giuesppe!

Just one more question if You please don,t mind.

I understand the role of promiscuous port.

That is the kind of port on layer 2 switch that connects to gateway.

Let take different scenario. we have a multilayer switch with one vlan 2.

svi for vlan 2 is 2.2.2.1/24. will this svi be configured as promiscuous port? or only layer 2 port connected to gateway is configured as promiscuous port?

P.s I am using a cisco book which I no longer trust, the case in point is book says only one isolated secondary vlan can be mapped to primary vlan. Numerous times i quoted from the book only to find the book was wrong. The end result is whatever the book says ,i have to either verify it by net pro or by searching on google. Do you recommend any good book ? It will save me a lot time and save you guys from my questions as well.

Correct Answer
Giuseppe Larosa Mon, 02/09/2009 - 00:25

Hello Sarah,

the SVI is a special case and hasn't got a physical interface

according to my old book the following is enough:

vlan 40

private-vlan isolated

vlan 50

private-vlan community

vlan 200

private-vlan primary

private-vlan association 40,50

interface vlan 200

ip address 192.168.199.1 255.255.255.0

this is taken from BCMSN second edition

David Hucaby

Copyright © 2004 Cisco Systems, Inc.

ISBN: 1-58720-077-5

I used first and second edition of this book and I've found them accurate.

I think there is at least a third edition on cisco press

the current edition is 4th:

* By Richard Froom, Balaji Sivasubramanian, Erum Frahim.

* Published by Cisco Press.

* Series: Self-Study Guide.

Save to My Wish ListSave to My Wish List

ISBN-10: 1-58705-273-3

but the authors have changed

Hope to help

Giuseppe

sarahr202 Mon, 02/09/2009 - 12:30

Thanks a lot Giuseppe! I am taking my switching exam on tuesday 10 feb .

I really appreciate your help in my preparation for the exam.

Correct Answer
Jon Marshall Mon, 02/09/2009 - 12:56

Sarah

Firstly good luck with your exam.

Secondly all the docs i have read suggest that you can only have one isolated vlan per primary vlan domain. See this 6500 configuration doc as an example -

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html#wp1144524

I've just moved house so haven't set lab back up yet so can't test.

Jon

Correct Answer
Giuseppe Larosa Mon, 02/09/2009 - 13:33

Hello Jon,

thanks for your correction

let's give Sarah good information.

It is the opposite of what I have understood/remembered:

instead of having all isolated ports in many single isolated secondary vlans you can have multiple ports all belonging to the same isolated secondary vlan.

This allows for an implementation without wasting vlans numbers

Sarah: sorry for having given you a wrong information your questions are becoming difficult to answer :)

Thanks

Giuseppe

Actions

This Discussion