Cisco Switch : Private VLAN’s

Private VLAN’s are a very interesting and mostly used for Network segmentation and fun concept but it can take a little to get your head around, so here goes.

Private VLAN’s split a VLAN into Sub-VLANs, called Primary and Secondary.  Secondary VLAN’s have 2 different types :  Isolated and Community.

In this example the Primary VLAN is 100 and the Secondary VLAN’s are Isolated VLAN 200, Community VLAN 300 and Community VLAN 400.

An important port to know about before beginning is called the Promiscuous Port. It acts like a Gateway that routes Primary and Secondary-VLAN traffic, and all Secondary-VLAN traffic must pass through the Promiscuous Port.

Isolated ports can only talk to the Primary VLAN through a Promiscuous Port (Uplink/Gateway Port)

Community ports can talk to each other, if they are in the same Community Secondary-VLAN.

VTP must be set to transparent mode for Private VLAN’s to work.

Here is how to configure Private VLAN’s

First we need to configure the Primary VLAN

TPW-SW1(config)#vlan 100
TPW-SW1(config-vlan)#private-vlan primary 

Configure the Isolated VLAN

TPW-SW1(config)#vlan 200
TPW-SW1(config-vlan)#private-vlan isolated 

Configure the Community VLAN’s

TPW-SW1(config)#vlan 300
TPW-SW1(config-vlan)#private-vlan community 

TPW-SW1(config)#vlan 400
TPW-SW1(config-vlan)#private-vlan community 

Now we have to associate the Primary VLAN to the Isolated and Community VLAN’s

TPW-SW1(config)#vlan 100 
TPW-SW1(config-vlan)#private-vlan association 200 
TPW-SW1(config-vlan)#private-vlan association 300
TPW-SW1(config-vlan)#private-vlan association 400

This is where we configure for fa0/1 as the Promiscuous Port

TPW-SW1(config-if)# int fa0/1 
TPW-SW1(config-if)#switchport mode private-vlan promiscuous

We have to tell the Promiscuous Port that it is associated with the  (Isolated and Community VLAN’s) that it can also see and talk to them appropriately.

TPW-SW1(config-if)#switchport private-vlan host-association 100 200,300,400

Configure fa0/2 and fa0/7 as the Isolated port, but also about its Primary VLAN 100

TPW-SW1(config-if)# int fa0/2 
TPW-SW1(config-if)#switchport mode private-vlan host
TPW-SW1(config-if)#switchport private-vlan host-association 100 200

TPW-SW1(config-if)# int fa0/7 
TPW-SW1(config-if)#switchport mode private-vlan host 
TPW-SW1(config-if)#switchport private-vlan host-association 100 200 

Configure fa0/3 and 4 as community ports, but also about its Primary VLAN 100

TPW-SW1(config)#int range fa0/3 - 4 
TPW-SW1(config-if-range)# switchport mode private-vlan host
TPW-SW1(config-if-range)# switchport private-vlan host-association 100 300
TPW-SW1(config-if-range)# exit

Configure fa0/5 and 6 as community ports, but also about its Primary VLAN 100

TPW-SW1(config)#int range fa0/5 - 6 
TPW-SW1(config-if-range)# switchport mode private-vlan host
TPW-SW1(config-if-range)# switchport private-vlan host-association 100 400
TPW-SW1(config-if-range)# exit

You can confirm the Private VLAN’s are setup correctly with the following show command

TPW-SW1#show vlan private-vlan

Primary      Secondary    Type                Ports
-------      ---------    -----------------   ----------------------------------
100          200          isolated            fa0/2, fa0/7
100          300          community           fa0/3, fa0/4
100          400          community           fa0/5, fa0/6

Here is the topology of what was just built.

Here is a table of what can talk to each other


Computer PC1 – Isolated – VLAN 200 PC2 – Isolated – VLAN 200 PC3 – Community VLAN 300 PC4 – Community VLAN 300 PC5 – Community VLAN 400 PC6 – Community VLAN 400
PC1 – Isolated – VLAN 200 YES NO NO NO NO NO
PC2 – Isolated – VLAN 200 NO YES NO NO NO NO
PC3 – Community VLAN 300 NO NO YES YES NO NO
PC4 – Community VLAN 300 NO NO YES YES NO NO
PC5 – Community VLAN 400 NO NO NO NO YES YES
PC6 – Community VLAN 300 NO NO NO NO YES YES


Cisco : SPAN and Remote SPAN

As part of the CCNP Switch you get introduced to a topic called SPAN and Remote SPAN. This feature allows Network Engineers to capture packets flowing to and from a Interface or VLAN and mirror or forward those packets to a Packet Capture Analyzer software such as Wireshark.

Things to be aware of when setting SPAN and RSPAN up:

  • Make sure you destination port is of equivalent speed to the Source port otherwise you could drop packets.
  • A source port cannot be the same as a destination port
  • A destination port can only  be a part of one SPAN session
  • Source ports can be part of a EtherChannel but destinations ports cannot
  • Trunk ports can be setup as source and destination and the default behavior will monitor all active VLAN’s on that port
  • Destination Ports will not participate in STP, CDP, VTP, DTP or LACP
  • The number of SPAN sessions can vary on different switch models

The source can be set to entire VLAN’s (VSPAN) or individual ports. The Source is the port or VLAN you want to monitor.

Here is what the basic SPAN topology would look like:


Here is how to setup the Source SPAN interface.


tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

The Destination is the port you have the network analyzer connected to.

tpw-sw1(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your SPAN port setup.

tpw-sw1#show monitor

Session 1


Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Destination Ports      : Gi1/2

The behavior is expected on a SPAN port:

tpw-sw1#sh int Gi1/1
FastEthernet1/1 is down, line protocol is down (monitoring)


However SPAN isn’t always going to be local, so luckily for us there is Remote SPAN (RSPAN). This feature allows the mirrored packets to traverse the trunk port to another switch via a separate VLAN. The configuration is fairly straightforward however there are a couple of caveats:

  1. All switches have to be RSPAN capable.
  2. VTP does treat the RSPAN VLAN like a regular VLAN and will propagate that through the VTP domain, but if its not you will have to add them manually to each switch
  3. VTP will prune the VLANS like a regular VLAN
  4. MAC address learning is disabled on the RSPAN VLAN
  5. Source and Destinations will be slightly different on each switch so don’t just copy the commands on each switch.

The topology would look something like this:

Here is the configuration for RSPAN tpw-sw1 – be  aware the destination RSPAN VLAN

tpw-sw1(config)#vlan 4000


tpw-sw1(config)#monitor session 1 source interface GigabitEthernet 1/1

tpw-sw1(config)#monitor session 1 destination remote vlan 4000

Verify your work.

tpw-sw1#show monitor

Session 1


Type                   : Local Session

Source Ports           :

    Both               : Gi1/1

Dest RSPAN VLAN     : 4000

Here is the configuration for RSPAN tpw-sw2 – be aware the source is the RSPAN VLAN

tpw-sw2(config)#vlan 4000


tpw-sw2(config)#monitor session 1 source remote vlan 4000

tpw-sw2(config)#monitor session 1 destination interface GigabitEthernet 1/2

Verify your work.

tpw-sw2#show monitor

Session 1


Type                   : Local Session

Source RSPAN VLAN        : 4000

Destination Ports     : Gi1/2

If you have a setup similar to below you have to name Remote SPAN VLAN 4000 on all intermediate switches.



Cisco : Port Security

Is this frame from a trusted Source? That is the question!

As I continue my CCNP studies, I near the end of the CCNP Switch Course, this is a topic that was covered in the CCNA, and I haven’t really touched it since, so here is a refresher.

A port enabled with port security will expect to see frames sourced from a particular MAC address or group of MAC addresses, if the switch receives a frame from a MAC address it does not have listed the port takes action according to the violation mode that is set. The violation mode by default is to shutdown the port.

Enable Port Security

*You can only enable port security on a edge port, so that means that port can never become a trunk port*

tpw-sw1(conf)# int gi0/1
tpw-sw1(config-int)#switchport mode access
tpw-sw1(config-int)#switchport access vlan 10
tpw-sw1(config-int)#switchport port-security

Confirm it is working and information gathering

tpw-sw1# show port-security
tpw-sw1# show port-security address
tpw-sw1# show port-security interface gi0/1

More Port Security options

tpw-sw1(conf)# int gi0/1
tpw-sw1(config-int) switchport port-security ?
          aging - Port-security aging commands
          mac-address  - Secure mac address
          maximum - Max secure addresses
          violation - Security violation mode
tpw-sw1(config-int) switchport port-security maximum <1-6144>
tpw-sw1(config-int) switchport port-security violation ?
          protect - Security violation protect mode (drops the offending frames )
          restrict - Security violation restrict mode (drops, creates log messages, but port remains active )
          shutdown - Security violation shutdown mode (default will put the port into err-disabled (fix problem first and shut, no shut))
tpw-sw1(config-int) switchport port-security mac-address ?
         H.H.H - 48 bit mac address
         sticky - Configure dynamic secure addresses as sticky (dynamic addresses but kept on switch reload )
tpw-sw1(config-int) switchport port-security aging ?
         time Port-security aging time
         type Port-security aging type

This is just the very basics of Port Security, there is similar implementations on all switches I have worked with.

The Packet Wizard : Spanning Tree Explained

Spanning Tree Protocol also known as STP

There are many different types of STP but here are a couple of the main ones

STP/802.1D – Original STP
PVST+ – Cisco Improved STP adding per VLAN feature
RSTP/802.1w – Improved STP with a much faster convergence time (Rapid Spanning Tree)
Rapid PVST+ – Cisco improved RSTP adding per VLAN feature

If you have a large network with lots of switches and VLAN’s you can use Per VLAN STP to plan for a more efficient network

Even although there are many versions of STP they all use a very similar set of rules.

What is STP?

STP is a feature used to prevent loops when you are using redundant switches and without STP a loop could form and cause a number of problems on the network.

During a unicast broadcast message (which happen all the time) the switch will forward the frame out of every port except the one it came in on. Therefore if SW1 sends a frame out and SW2 and SW3 receive it then SW2 and SW3 will forward out all ports except the one it came in on.  SW2 sends to SW3 and SW1. SW3 send to SW2 and SW1 and you can see how the loop is now beginning to form. This is known as a broadcast storm, this can kill a switches CPU and Memory usage very quickly.

The second problem is the MAC address being changed all the time as it receives frames. For example SW1 sends a broadcast message, SW2 and SW3 receive it, then forward it out all other ports like in the scenario above. However each switch learns the MAC address of the next switch and assigns that in the MAC address table, but if you consider SW1 sending to SW2 and SW3 and then SW2 and SW3 forwarding those frames and they eventually get back to SW1 but on different ports, then the MAC Address table will change constantly from I know about SW2 on this port,  I now know about SW2 via SW3 on this port, and that can cause unstable MAC address tables.

Another issues is explained below

HOST1  sends data to HOST2, however since SW2 doesn’t know how to get to SW2 it sends frames out all ports, thus sending to SW1 and SW3 so HOST2 receives frames from HOST1 via SW3 and then again via SW1>SW3. This is known as Duplicate Frames.

So how do we fix the issues mentioned above? Thats right Spanning Tree Protocol by blocking one of the redundant paths.

The question now becomes how do the switches decide on that Port to block? STP follow’s strict rules, when deciding what ports to block. 

1) Elect a Root Bridge (ROOT)
2) Place root interfaces into forwarding (FWD)
3) Select Root Port on non-Root Bridge Switches (RP) – this is the best root to the Root Bridge.
4) Non Root Switches decide on a Designated Port (DP)
5) All other ports put into Blocking State (BLK)

On per VLAN STP You could have this on VLAN 10

and this on VLAN 20

I will now cover the port roles and the port states so you know what each is:

Root Ports : The best port to get to the Root Bridge

Designated Ports : The Lowest cost alternate best root to the Root Bridge.
Non Designated Ports : All other ports that are in blocking mode.

Disabled : A Port is shutdown
Blocking : A Port that is blocking traffic
Listening : A Port that is not forwarding and not learning MAC addresses
Learning: A Port that is learning MAC addresses but is not forwarding traffic
Forwarding : A Port that is sending and receiving traffic as normal

When ports change from one Role to another it will go through the Port States. Note also that the Listening and Learning states are transitional and it wont stay on either.

Root Bridge Election

Each switch has and sends messages to each other called Bridge Protocol Data Units (BPDU’s) These BPDU’s contain specific information pertaining to each switch, such as Root Cost, Bridge ID (BID) for Itself and for the Root.  A BID is made up of STP Priority and MAC address, the default value of The BID on SW1 would be 327691111:1111:1111 since 32769 is the default STP priority and the MAC address. The switch with the lowest BID will become the Root Bridge. This is what is looks like before the Root Bridge Election and the exchange of the BPDU’s

This is what it looks like after, when the lowest BID wins.

The ports on each switch now transition into their respective states following the STP Rules as mentioned above.

The ports can change based on the Cost of each link. The port costs are listed below, however in this example we will just be using Gig Ports, but for clarity a FastEthernet Port will be slower than a GigEthernetPort, the faster the port the lower the cost. The Root Port (RP) is the lowest port cost.

Data rate STP cost RSTP cost
(Link Bandwidth) (802.1D-1998) (802.1W-2004, default value)
4 Mbit/s 250 5,000,000
10 Mbit/s 100 2,000,000
16 Mbit/s 62 1,250,000
100 Mbit/s 19 200,000
1 Gbit/s 4 20,000
2 Gbit/s 3 10,000
10 Gbit/s 2 2,000
100 Gbit/s N/A 200
1 Tbit/s N/A 20

This is a quick diagram of how the port costs are worked out to get back to the Root Bridge. SW2 to get to SW1 is 0+4=4 and SW2 via SW3 to SW1 is 4+4=8

Of course there can be ties between multiple connections and STP can be tuned.

Designated Ports are selected by Root Cost the by Lowest BID and then by lowest numbered Interface. Therefor in the diagram above the Designated port would be GigEth1 on SW3 since it is a lower numbered interface than SW2 GigEth2.

All ports that are not Root Ports or Designated Ports are Blocking Ports.

STP Convergence Times

BPDU/Hello time = 2 secs – Hello messages to each switch to see its still there
Max Age = 20 secs – How long a switch will wait for a response to the Hello message
Listening = 15 secs
Learning = 15 secs

= 52 secs to convergence

From the time a link goes down to convergence it takes a total of 52 Seconds. When STP was designed that was fine but now, this is much too slow which is where Rapid Spanning Tree Comes in.

3 missed BDPU/Hello at 2 sec each = 6 secs
Learning (no listening) = 15 secs

= 21 secs to convergence.

I hope this have given you a good explanation of STP. 


Cisco/Brocade : Basic Similar Commands

  • Here are some basic switch commands and the Cisco to Brocade differences, even though the OS’s are similar they have some subtle differences.




Configure a VLAN

Interface vlan 2

Vlan 2

Configure a trunk port

Int fa0/1

Switchport trunk encap dot1q

Switchport mode trunk

Vlan 2

Tagged eth 0/1/1

Vlan 3

Tagged eth 0/1/1

Vlan 4

Tagged eth 0/1/1

Interface ethernet 0/1/1

Dual-mode 1

Configure a access port

Int fa0/1

Switchport access vlan 2

Vlan 2

Untagged eth 0/0/1

Configure an IP address on a VLAN

Int vlan2

Ip address

Vlan 2

Router interface ve 1

Interface ve1

Ip address

Configure a range of ports

Int range fa0/1-10

Int eth 0/1/1 to 0/1/5

Configure a port for both voice and data vlans

Int fa0/1

Switchport access vlan2

Switchport voice vlan3


Tagged eth 0/1/1


Tagged eth 0/1/1

Inter eth 0/1/1

Dual-mode 1

Voice-vlan 3

Inline power

Show the interface status of a port/vlan

Sh int fa0/1

Show int eth 0/1/1

See CDP Neighbors

Show cdp neighbors

Show fdp neighbors

Brocade : Dual Access Ports

Dual Access Ports : Data and Voice

You need to make the port dual-mode port. Configuring a tagged port as dual-mode allows it to accept and transmit both tagged and untagged traffic at the same time. For example, I am going to connect a phone and a laptop to a port 1/1/1. This port is running in dual mode having a tagged membership in VLAN 13 (phone) and untagged membership in VLAN 12 (laptop).

Brocade (config)# vlan 12
Brocade (config-vlan-12)# tagged eth 1/1/1
Brocade (config-vlan-12)# vlan 13
Brocade (config-vlan-13)# tagged eth 1/1/1
Brocade (config-vlan-13)# int eth 1/1/1
Brocade (config-if-e1000-1/1/1)# dual-mode 12 – this command changes from the native vlan to vlan 12 which is for the data port and should be untagged.