Thanks a lot for these MicroNuggets. Makes my learning and labbing so much better and easier. Just watch micronugget and lab it out!! Don't have to read 300 pages or watch 30 min video about a topic!! I really encourage you guys to do more of such videos, these are golden. Thanks again.
Great Video.. I have some queries 1) what about communicating between two different Primary VLAN having secondary VLAN? 2) Does inter VLAN routing will work as it is as before or it will be affected by PVLAN security? 3)What in case we have access between two devices in terms of interVLAN routing but no access in terms of PVLAN security. What would be effective access?
just a question when typing the description, [! explanation] is that a way to do hostnames or is it meant just as a description for the video. maybe a note like in programing [//explanation]. was curious
Hi Peter- We cover VACL's in the CCNP Security SENSS course at www.CBTNuggets.com If you aren't yet a member, there is a 7 day free trial and during that time you could check out the videos on VACLs, as well as the more in depth videos about Private VLANs. Thanks for the feedback. Keith
I have done and ensured all this thing.but my vlan type is not changing it is showing type as normal,i have made it to community and isolated but not working
Thanks for the great video!! Can the same port be part of isolated and community VLANs with different VLAN ids? Eg: Gi 0/11 as a part of VLAN200 and VLAN300 where VLAN200 is isolated VLAN and VLAN300 is community VLAN
Hi Bernd, thank you for your question! The primary VLAN will be the native VLAN, this is for the untagged traffic. There isn’t really a purpose to have two native VLANs. You’d have your VLAN 10, 20 for example on let’s say each half of the switch and that would isolate the traffic for the respective ports. There will still be a VLAN 1, which by default is the native VLAN. We hope this is helpful, let us know if you have any other questions. Thank you for learning with us!
Hello Keith....this is new for me....can you add some use of this Private VLANs....realistic schenarios....why to use them instead of using normal access vlans?...regards from Chile!
Imagine if you hosted a server farm for clients (like Rackspace or Microsoft Azure, VMWare, etc.). Instead of creating a subnet for each host, you can put them in an isolated VLAN and not worry about who can talk to whom. That's the first one that comes to my mind.
Cristobal Vallejos yep need a layer 3 switch I believe. 3560 or later series. if your running a 3550 youd need to go "router-on-a-stick" topology for inter vlan routing. The trunk port would become the "dock".
The single one thing that was left off and still leaving me with questions is the "WHY" why do you need isolated ports? the fact that was left off is agitating... No use learning a feature and not knowing why you would use it. What is the significance of isolated ports?...
Isolated ports is nice because you can configure different department within them VLANS. This means that a switch is only going to forward a broadcast to only those in the group.Once you get beyond a few hundred devices in your broadcast domain, your broadcast traffic gets to the point where it's making a serious negative impact on your network.
don't get me started on intervlan routing on trunk ports of a dist switch, what a pain! access switch1 has vlan xxx , access switch2 has vlan yyy connected to dist switch's trunk designated ports. router on a stick set up correctly, and guess what, vlan xxx and yyy won't come online... kill me
VAN Added security. Isolated ports can only talk to promiscuous ports. So you have a way of isolating hosts which are in the same subnet from each other. Another use would be to save address space. If you need to have lots of vlans with just a few hosts in them, you could use the private vlan concept. Normally one vlan would be mapped to one subnet, here you can have the subnet mapped to the primary vlan and you can have the community/isolated vlans in the same subnet.
holy guacamole... i´ve never seen this level of perfection, the clearest sound, concise and concrete video and the best ilustration!
The only 1 man on youtube, who actually explained how this mechanism of pvlans works! Ty a lot!!
Thank you for the kind words!
i enjoyed how much you loved talking about private-vlans you almost couldn't contain your joy at the end there ! 10/10
Thanks a lot for these MicroNuggets. Makes my learning and labbing so much better and easier. Just watch micronugget and lab it out!! Don't have to read 300 pages or watch 30 min video about a topic!! I really encourage you guys to do more of such videos, these are golden. Thanks again.
no words to thank. i am complete new to topic and at age 55+ i can understand. you made it easy through your nice presentation. be blessed.
Bryan McGann thinks that this Private VLAN video is excellent. This is great training for the Cisco SWITCH exam.
As always, your the best Keith!!
The nicest explanation I got about private vlans!
Great video. I can say now that I know about how private vlan works. With a simple analogy you explain a hard concept very wel. Thanks.
You just demystified PVLAN. thanks a bunch
I saw some videos in a ccnp security training but really this explaination is still kicking! Thanks a LOT!!!
This is wonderfully described. Just perfect. Thanks you very much Keith. :)
great explanantion,hat's off mr keith
Thanks Keith.
Very brilliant explanation
Great Video.. I have some queries
1) what about communicating between two different Primary VLAN having secondary VLAN?
2) Does inter VLAN routing will work as it is as before or it will be affected by PVLAN security?
3)What in case we have access between two devices in terms of interVLAN routing but no access in terms of PVLAN security. What would be effective access?
Keith, that was amazing .. this was more then a good review before i start reading the Private VLANs at CCIE Level ..thanks a lot :)
اهلا احمد ان شاء الله تكون جهزت و اخذت شهادة ال CCIE ياصديقي
just a question when typing the description, [! explanation] is that a way to do hostnames or is it meant just as a description for the video. maybe a note like in programing [//explanation]. was curious
Thanks Keith, perfectly explained and makes sense. +1 subscription from me
excellent explanation
Thank you!
Wow, great analogy, explanation and full config in under 10 minutes! Are you going to cover VACL's?
Hi Peter-
We cover VACL's in the CCNP Security SENSS course at www.CBTNuggets.com
If you aren't yet a member, there is a 7 day free trial and during that time you could check out the videos on VACLs, as well as the more in depth videos about Private VLANs.
Thanks for the feedback.
Keith
Are the VLANs 200, 300, 400, 500 visible outside the switch, i.e. past the uplink port, or will the Ethernet frames show up as tagged with ID 100?
Amazing Thank you
I have done and ensured all this thing.but my vlan type is not changing it is showing type as normal,i have made it to community and isolated but not working
Thanks for the great video!! Can the same port be part of isolated and community VLANs with different VLAN ids?
Eg: Gi 0/11 as a part of VLAN200 and VLAN300 where VLAN200 is isolated VLAN and VLAN300 is community VLAN
but even the creation of vlan access ports also does the same job right?
commendable job.
If I sign up for cbtnuggets again it would be because of Kieth.
He's amazing :)
wow where did you get that stuff? it must be pretty strong.
Great
Does the primary vlan have to be the only one for all ports or can. I have two primaries to half the switch
Hi Bernd, thank you for your question! The primary VLAN will be the native VLAN, this is for the untagged traffic. There isn’t really a purpose to have two native VLANs. You’d have your VLAN 10, 20 for example on let’s say each half of the switch and that would isolate the traffic for the respective ports. There will still be a VLAN 1, which by default is the native VLAN. We hope this is helpful, let us know if you have any other questions. Thank you for learning with us!
OMG its a lot of work for only couple of VLANs....in case it's used for security, then why not implement VACL or Protected Edge Ports concept?
👍
Hello Keith....this is new for me....can you add some use of this Private VLANs....realistic schenarios....why to use them instead of using normal access vlans?...regards from Chile!
Imagine if you hosted a server farm for clients (like Rackspace or Microsoft Azure, VMWare, etc.). Instead of creating a subnet for each host, you can put them in an isolated VLAN and not worry about who can talk to whom. That's the first one that comes to my mind.
DavisTasar
Thanks david....I have been reading more about this feature but now I realize this is not supported in whole cisco Switch suit...
Cristobal Vallejos
yep need a layer 3 switch I believe. 3560 or later series. if your running a 3550 youd need to go "router-on-a-stick" topology for inter vlan routing. The trunk port would become the "dock".
Thanks Davis on an excellent example!
Cheers,
Keith
Started going way too fast on the console commands around the 8 minute mark forward. Slow it down
sbentjies Thanks for the comment. We have passed along your feedback to Keith for him to take into consideration when creating future MicroNuggets.
I thought the speed is fine...
The single one thing that was left off and still leaving me with questions is the "WHY" why do you need isolated ports? the fact that was left off is agitating... No use learning a feature and not knowing why you would use it. What is the significance of isolated ports?...
Isolated ports is nice because you can configure different department within them VLANS. This means that a switch is only going to forward a broadcast to only those in the group.Once you get beyond a few hundred devices in your broadcast domain, your broadcast traffic gets to the point where it's making a serious negative impact on your network.
don't get me started on intervlan routing on trunk ports of a dist switch, what a pain! access switch1 has vlan xxx , access switch2 has vlan yyy connected to dist switch's trunk designated ports. router on a stick set up correctly, and guess what, vlan xxx and yyy won't come online... kill me
facts, this is a pain like no one shows that i believe.
show vlan private-vlan command shows non-operational.
What's the need of using Private VLANs ?
VAN Added security. Isolated ports can only talk to promiscuous ports. So you have a way of isolating hosts which are in the same subnet from each other.
Another use would be to save address space. If you need to have lots of vlans with just a few hosts in them, you could use the private vlan concept. Normally one vlan would be mapped to one subnet, here you can have the subnet mapped to the primary vlan and you can have the community/isolated vlans in the same subnet.