7 replies to this topic

[eXPlosionas]

I do not clearly understand how routing between two community vlans works as vlans belong to the same subnet, computer will not send arp broadcast looking for gateway's (router's) mac. It will be looking for computer's mac in another community vlan. How does router knows when to reply?

Here is from some blog:
"When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but they need to use router (another L3 device) to talk to each other (for example, by means of local Proxy ARP)."
Proxy ARP is when router knows how to get to another network and then responds to computer with it's mac. In PVLANS case it's local subnet. So i don't understand

[MarkinManchester]

Hi

Try to read this and absorb the information in section "Working"

http://en.wikipedia....ki/Private_VLAN

Mark

[eXPlosionas]

Ok, here is from wikipedia:
" Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN."
Do they mean local traffic? What about routing between two community VLANs.
Also the last sentence confused me:
"Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN."
How can isolated port be in primary VLAN? I thought isolated port is in isolated VLAN. Also confuses me isolated and comunity ports and VLANs. Isn't it the same?

[afrmonteiro]

Hi,

Two secondary VLANs that belong to VLAN X's community will forward traffic between them and with the primary VLAN X. These secondary VLANs are configured in community ports and traffic in these VLANs can be forwarded between ports within the same community or to promiscuous port (normally an uplink). However, if traffic is coming from an isolated port that belongs to VLAN X, the only possible path is through the promiscuous port. Traffic coming from outside the network may reach the isolated PVLANs or the community PVLANs. Every time a host communicates upwards, he uses the secondary VLAN configured; but if he receives traffic, the packets use the primary VLAN to reach him.

Check this document as well. Maybe it is more clear for you. http://www.cisco.com...08013565f.shtml

I hope my comments are helpful to you.

Cheers

[eXPlosionas]

"Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN"
How can isolated port be in primary VLAN? I don't clearly understand difference between let's say isolated VLAN and isolated port.

[martinlo]

I would search for vidoes on this; it is confusing; the best ones are on INE but there are some free ones on youtube.

[afrmonteiro]

Well every time you have an isolated VLAN configured on an interface, that interface is a secondary port, while the uplink port is the promiscuous port. The promiscuous port/interface is where you do the mapping between the primary VLAN and the secondary VLANs. The association between an isolated/community VLAN is done at the primary vlan configuration mode.

I hope it helps you!

[linda86]

"Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN"
How can isolated port be in primary VLAN? I don't clearly understand difference between let's say isolated VLAN and isolated port.

That's really kind of difficult...if you want to know it very clearly, i think you'd better make clear what are routers, what are switches, what is VPN and how do they work and connect with each other... Haha, good luck!