Private VLANs

Question 1

What are private VLANs?

Answer 1

VLANs that have limited access to other VLANs on the network, or even limited access to other hosts on the same VLAN.

Question 2

What are the three type of private VLANs?

Answer 2

Community VLANs, isolated VLANs, and Primary VLANs.

Question 3

Describe a community VLAN.

Answer 3

Hosts on community VLANs can speak to each other but cannot talk to other VLANs on the network.

Question 4

Describe an isolated VLAN.

Answer 4

Hosts on an isolated VLAN cannot talk to other VLANs on the network or even other hosts in the same isolated VLAN.

Question 5

List two benefits of private VLANs.

Answer 5

Increased security, and the ability to use the same IP range across multiple VLANs without subnetting.

Question 6

Describe a primary VLAN.

Answer 6

Primary VLANs contain the gateway used by community and isolated VLANs to get out of the network. Primary VLANs can only be reached via a promiscuous port.

Question 7

Describe a promiscuous port.

Answer 7

A promiscuous port is the only type of port that community and isolated VLANs are allowed to use to access their gateway.

Question 8

What feature must be disabled for private VLANs to work?

Answer 8

VTP. It must be set to transparent or off.

Question 9

Briefly describe the steps in configuring private VLANs.

Answer 9

1.Configure a primary VLAN and associate it with your community and isolated VLANs. 2.Configure your community and isolated VLANs. 3.Configure your promiscuous interface and associate it with all private VLANs (primary, community and isolated). 4.Configure your community and isolated ports and associate them with their respective VLAN AND the primary VLAN.

Question 10

Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons, the servers should not communicate with each other, although they are located on the same subnet. The servers do need, however, to communicate with a database server located in the inside network. What configuration will isolate the servers from each other?

PVLAN_promiscuous_ports.jpg

A. The switch ports 3/1 and 3/2 will be defined as secondary VLAN community ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.
B. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.
C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN community ports.
D. The switch ports 3/1 and 3/2 will be defined as secondary VLAN isolated ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.

Answer 10

Answer: D

Explanation

WS_1 and WS_2 cannot communicate with each other so we can put them into isolated ports. Isolated ports can only communicate with promiscuous ports so Fa3/34 and Fa3/35 should be promiscuous ports so that they can send and receive data with the Data Server.

Note: Answer A is not clear because it does not state the switch ports 3/1 and 3/2 are put into the same or different VLAN community ports. If they are put into different VLAN communities then answer A is correct.

Question 11

Refer to the exhibit. What can be concluded about VLANs 200 and 202?

show_vlan_private-vlan_type.jpg

A. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic between community ports and to promiscuous ports.
B. VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 200 carries traffic from isolated ports to a promiscuous port.
C. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic between community ports and to promiscuous ports.
D. VLAN 200 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 202 carries traffic from isolated ports to a promiscuous port.

Answer 11

Answer: B

Explanation

In fact the exhibit above is wrong, that output should be from the command “show vlan private-vlan”. The “show vlan private-vlan type” should give output like this:

Vlan
————– Type
————-
202
200 Primary
isolated
With this output we can see VLAN 202 is configured as the primary VLAN while VLAN 200 is configured as secondary (isolated) VLAN -> B is correct.

Question 14

Private VLANs can be configured as which three of these port types? (Choose three)

A. isolated
B. protected
C. private
D. associated
E. promiscuous
F. community

Answer 14

Answer: A E F

Explanation

There are three types of ports can be configured in a Private VLAN: isolated, promiscuous, community.

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

Question 15

Refer to the exhibit. From the configuration shown, what can you determine about the private VLAN configuration?

Switch# configure terminal
Switch (config)# vlan 20
Switch (config-vlan)# private-vlan primary
Switch (config-vlan)# exit
Switch (config)# vlan 501
Switch (config-vlan)# private-vlan isolated
Switch (config-vlan )#exit
Switch (config)# vlan 502
Switch (config-vlan)#private-vlan community
Switch (config-vlan)# exit
Switch (config)# vlan 503
Switch (config-vlan )# private-vlan community
Switch (config-vlan)# exit
Switch (config)# vlan 20
Switch (config-vlan)#private-vlan association 501-503
Switch (config-vlan)# end
A. Only VLAN 503 will be the community PVLAN because multiple community PVLANs are not allowed.
B. Users of VLANs 501 and 503 will be able to communicate.
C. VLAN 502 is a secondary VLAN.
D. VLAN 502 will be a standalone VLAN because it is not associated with any other VLANs.

Answer 15

Answer: C

Explanation

There are two types of secondary VLAN: isolated and community. In this case VLAN 502 is a community VLAN -> C is correct.

In a PVLAN, multiple community VLANs are allowed. But notice a PVLAN can have only one primary VLAN and one isolated VLAN -> A is not correct.

Only community in the same VLAN can communicate with each other. Users in different communities are not able to communicate -> B is not correct.

The command “private-vlan association 501-503″ associates VLANs 501, 502 and 503 to the Primary VLAN 20 -> D is not correct.

Question 16

When configuring private VLANs, which configuration task must you do first?

A. Configure the private VLAN port parameters.
B. Configure and map the secondary VLAN to the primary VLAN.
C. Disable IGMP snooping.
D. Set the VTP mode to transparent.

Answer 16

Answer: D

Explanation

Before configuring private VLANs, we must set VTP mode to transparent because VTP version 1 and 2 do not support private VLAN (VTP version 3 does support PVLAN). Notice that a switch in VTP transparent mode still forwards other VTP updates to its neighbors.

Question 17

A switch has been configured with Private VLANs. With that type of PVLAN port should the default gateway be configured?

A. Trunk
B. Isolated
C. Primary
D. Community
E. Promiscuous

Answer 17

Answer: E

Explanation

A default gateway should be configured Promiscuous type so that all devices in PVLAN can go outside.

Question 18

what is a PVLAN?

Answer 18

a private VLAN can be logically associated with a special secondary vlan

Question 19

what if a secondary VLAN?

Answer 19

hosts associated with a secondary VLAN can communicate with ports on the primary but not with another secondary VLAN

Question 20

what are the 2 types of secondary VLAN?

Answer 20

isolated and community

Question 21

what is an isolated secondary VLAN?

Answer 21

any ports associated with an isolated vlan can reach the primary, but not any other secondary. Hosts withn an isolated vlan can’t reach each other

Question 22

What is a community secondary VLAN?

Answer 22

hosts within a secondary can communicate with each other and with the primary, but not with another secondary vlan

Question 23

Of what significance are private VLANs

Answer 23

local only

Question 24

What are the two private vlan association modes?

Answer 24

promiscuous and host

Question 25

What is the PVLAN promiscuous mode?

Answer 25

connects to a router, firewall, or gateway. Can communicate with anything else connected to the primary or any secondary. Ignores pvlan config

Question 26

What is the PVLAN host mode?

Answer 26

connects to a host on an isolated or community vlan. Communicates only with promiscuous port or ports on same community vlan

Question 27

Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?

Answer 27

promiscuous port

Question 28

Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway?

Answer 28

isolated VLAN

Question 29

When you configure private VLANs on a switch, which port type connects the switch to the gateway router?

Answer 29

promiscuous

Question 30

When you configure a private VLAN, which type of port must you configure the gateway router port as?

Answer 30

promiscuous port

Question 31

Define promiscuous port

Answer 31

With private VLANs, a port that can send and receive frames with all other ports in the private VLAN.

Question 32

Define community VLAN

Answer 32

With private VLANs, a secondary VLAN in which the ports can send and receive frames with each other, but not with ports in other secondary VLANS.

Question 33

Define isolated VLAN

Answer 33

With private VLANs, a secondary VLAN in which the ports can send and receive frames only with promiscuous ports in the primary VLAN.

Question 34

Define private VLAN

Answer 34

A Cisco switch feature that allows separation of ports as if they were in separate VLANs, while allowing the use of a single IP subnet for all ports.

Question 35

What is a *Private VLAN*?

Answer 35

A Private VLAN allows segregation of traffic within the same VLAN itself.

Question 36

What is the Primary VLAN in Private VLAN?

Answer 36

The Primary VLAN controls IP subnet reachability.

Question 37

What is the Secondary VLANs in Private VLAN?

Answer 37

The Secondary VLANs control the security policy.

Question 38

What is a Community Secondary VLAN in Private VLAN?

Answer 38

A Community Secondary VLAN allows members of the community to speak with each other, but no one else outside.

Question 39

What is an Isolated Secondary VLAN in Private VLAN?

Answer 39

An Isolated Secondary VLAN does not allow any communication within the Primary VLAN domain.

Question 40

What is the *Promiscuous Port* in Private VLAN?

Answer 40

Promiscuous Port allows PVLAN hosts to reach a default gateway for outside routing.

Question 41

What configuration commands sets up a *PVLAN*?

Answer 41

CONFIGURE SECONDARY PVLAN
Sw1(config)# vlan <vlan-id><br></br>Sw1(config-vlan)# private-vlan <community></community></vlan-id>

CONFIGURE PRIMARY PVLAN
Sw1(config)# vlan <vlan-id><br></br>Sw1(config-vlan)# private-vlan primary<br></br>Sw1(config-vlan)# private-association <vlan-ids><br></br>This ties secondary vlans with primary</vlan-ids></vlan-id>

CONFIGURE HOST
Sw1(config-if)# switchport mode private-vlan host
Sw1(config-if)# switchport private-vlan host associatio <prim-pvlan> <sec-pvlan></sec-pvlan></prim-pvlan>

CONFIGURE PROMISCUOUS
Sw1(config-if)# switchport mode private-vlan promiscuous (only on physical)
Sw1(config-if)# switchport private-vlan mapping <prim> <sec> (only on physical)<br></br>Sw1(config-if)# private-vlan mapping <sec> (SVI)</sec></sec></prim>