Chapter 27 - PVLANs

Question 1

Can PVLANs communicate with each other?

Answer 1

PVLANs are unable to communicate with each other on Layer 2; all traffic has to be routed through a Layer 3 device, where additional security techniques, such as ACLs, can be applied.

Question 2

What does a PVLAN domain contain?

Answer 2

A PVLAN domain encompasses the entire actual VLAN subnet and all its hosts.

Question 3

What does a PVLAN port in Promiscuous mode do?

Answer 3

A promiscuous port belongs to the primary VLAN and can communicate with all mapped ports in the primary VLAN, including community and isolated ports. A port that provides an uplink connection to a router is configured as a promiscuous port, because all hosts need to communicate with the router. There can be multiple promiscuous ports in a primary VLAN.

Question 4

What does a PVLAN port in Isolated mode do?

Answer 4

An isolated port is a host port that belongs to an isolated secondary VLAN. An isolated port has complete isolation from other ports, except with associated promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.

Question 5

What does a PVLAN port in Community mode do?

Answer 5

A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. They are isolated from all ports in other community VLANs and all isolated ports.

Question 6

What considerations must be made regarding VLAN Trunking Protocol (VTP) before PVLANs can be configured?

Answer 6

VTP must be set to transparent mode or off, before the PVLAN configuration is possible.

Question 7

How do you configure PVLANs on a switch?

Answer 7

SW(config)# vlan 100
SW(config-vlan)# private-vlan primary (Configure the primary VLAN)
SW(config)# vlan 101
SW(config-vlan)# private-vlan isolated (Configure an isolated secondary VLAN)
SW(config)# vlan 102
SW(config-vlan)# private-vlan community (Configure a community secondary VLAN)
SW(config)# vlan 100
SW(config-vlan)# private-vlan association 101,102 (Associate secondary VLANs 101 and 102 with the primary VLAN 100)

Question 8

How do you configure a promiscuous port?

Answer 8

SW(config)# interface GigabitEthernet 0/1
SW(config-if)# switchport mode private-vlan promiscuous
SW(config-if)# switchport private-vlan mapping 100 add 101,102
promiscuous ports should be used when connecting to a layer 3 device that is a default gateway or doing inter-VLAN routing.

Question 9

How do you configure an interface to be an isolated PVLAN port?

Answer 9

SW(config)# interface range GigabitEthernet 0/2
SW(config-if-range)# switchport mode private-vlan host
SW(config-if-range)# switchport private-vlan host-association 100 101
Configure the port to become a part of primary VLAN 100 and secondary (isolated) VLAN 101.

Question 10

How do you configure an interface to be a community PVLAN port?

Answer 10

SW(config)# interface range GigabitEthernet 0/3
SW(config-if-range)# switchport mode private-vlan host
SW(config-if-range)# switchport private-vlan host-association 100 102
Configure the port to become a part of primary VLAN 100 and secondary (community) VLAN 102.

Question 11

What Cisco switches support Isolated and Promiscuous PVLAN trunk ports?

Answer 11

Isolated and promiscuous PVLAN trunk ports are supported only on modular switch platforms such as the Cisco Catalyst 4500 and 6500 Series Switches.

Question 12

How does a Promiscuous trunk port work?

Answer 12

Used where a PVLAN promiscuous host port would normally be used but where it is necessary to carry multiple normal VLANs or PVLAN domains.

Whenever a frame from a secondary VLAN is going to sent out such trunk, its 802.1Q tag will be rewritten with the appropriate primary VLAN ID. That is usable if you are, for example, doing a router-on-stick between several primary private VLANs. As the router does not understand that multiple secondary PVLANs actually map to a single particular primary PVLAN, the promiscuous trunk port will translate all secondary PVLAN IDs into the corresponding primary PVLAN ID.

Question 13

How does an isolated PVLAN trunk port work?

Answer 13

An isolated PVLAN trunk port is used when connecting a PVLAN-enabled switch with a switch that has no PVLAN support.

An isolated PVLAN trunk translates primary PVLAN ID tag into the isolated secondary PVLAN ID that is associated with the primary PVLAN. This is used if you want to extend the secondary isolated PVLAN onto a switch that does not support PVLANs. Thus, if a frame is coming from a promiscuous host port somewhere in the primary PVLAN and is about to be sent out the isolated PVLAN trunk port, its 802.1Q tag currently carrying the primary PVLAN ID will be rewritten to the isolated secondary PVLAN ID.

Question 14

Why would you use a protected / PVLAN edge port?

Answer 14

• Also known as PVLAN edge
• Alternative to PVLAN, when the PVLAN feature is not available
• Protected ports cannot communicate with protected ports on the same switch
• Protected ports can communicate with all nonprotected ports
• Usually only used to restrict hosts on a single switch as it is only locally significant.

Question 15

How do you configure a protected / PVLAN edge port?

Answer 15

SW(config)# interface GigabitEthernet 0/1

SW(config-if)# switchport protected