On this post we will be discussing private vlans.
What do they do / provide?
- improved security
- more granular network segmentation that leads to a even smaller broadcast domain
Where would you use it?
- hotel rooms
- conference rooms
How it works?
You have 2 types of vlans :
- Primary vlan : device belonging to it can talk to all the other hosts from the vlan and from the secondary vlans
- Secondary vlans:
- Isolated vlans: devices residing here can only talk to the hosts in the primary vlan
- Community vlans: devices sitting here can talk to the other hosts in the community vlan and the hosts in the primary vlan
Note: You can have several community vlans. Hosts can talk to each other and the primary, not to another community vlan or the isolated hosts.
The theory states that you have 3 types of ports, but note that this does not reflect in the configuration. We will see later. These are it:
- Promiscuous port - this one is part of the primary vlan. Any other port can talk to a promiscuous port.
- Isolated port - this port is part of the isolated vlan. It can only talk to the primary vlan ports, that is the promiscuous ports.
- Community port - this port is part of the community vlan. These ports can talk to all the other community ports of the same vlan and to all the promiscuous ports.
When you configure the ports on the switch itself, there will be 2 types of ports:
- Promiscuous port - can talk to everyone
- Host port - based on the vlan associations, this port will be an isolated or a community port
Now let's take a look at the big picture. Notice that the primary vlan encompasses the isolated and the community.
- Simple Diagram
- Complex Diagram
Prior to talking about the configuration one needs to know that VTP has to be set to transparent mode.
The simple diagram shows what we want to build:
- vlan 100 - primary vlan
- vlan 101 - isolated vlan
- vlan 102 - community vlan
We have 3 switches and the one in the middle is not configured for private vlans. It will just forward the traffic across its trunk ports.
Traffic flow : packets going from the primary vlan 100 on SW01 to the community vlan on SW03 will go over vlan 100 traversing SW02 and as they reach SW03 will hop onto VID 102.
The complex diagram shows a little bit more info, like: IP addressing, port types and the SVI setup.
- Vlan config
- Port config
- SVI config
- Show commands
! Primary vlan configuration and association with secondary vlans 101 and 102
!
vlan 100
private-vlan primary
private-vlan association 101-102
!
! Isolated (secondary) vlan configuration
!
vlan 101
private-vlan isolated
!
! Community (secondary) vlan configuration
!
vlan 102
private-vlan community
!! Promiscuous interface configuration, we are mapping vlan 100 (primary) to 101 and 102 (secondary: isolated and community)
!
interface GigabitEthernet1/3
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous
negotiation auto
!
! Host interface configuration as an isolated port based on the association 100 <-> 101
!
interface GigabitEthernet0/1
switchport private-vlan host-association 100 101
switchport mode private-vlan host
negotiation auto
!
! Host interface configuration as a community port based on the association 100 <-> 102
!
interface GigabitEthernet0/2
switchport private-vlan host-association 100 102
switchport mode private-vlan host
negotiation auto
!! SVI configuration for the primary vlan, with vlan mapping.
!
interface Vlan100
ip address 172.16.0.100 255.255.255.0
private-vlan mapping 101-102
end
!
! Take note that you cannot build SVIs for the secondary vlans. The switch letting us know that we cannot do it:
!
SW03(config)#int vlan 102
SW03(config-if)#
*Sep 23 17:55:54.844: %PV-6-PV_SVI_DOWN: Vlan 102s interface remains down because this vlan is a secondary vlan.
*Sep 23 17:55:55.845: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan102, changed state to down
SW03(config-if)#exit
! Learning what vlan is configured as what
!
SW03#sh vlan private-vlan type
Vlan Type
---- -----------------
100 primary
101 isolated
102 community
! Private vlan association verification
!
SW03#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 isolated Gi0/1
100 102 community Gi0/2
! Listing the interface information about the private vlan configuration (you can list the interface config directly too)
!
SW03#sh interfaces gi0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN0100) 101 (VLAN0101)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
100 (VLAN0100) 101 (VLAN0101)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
! Listing the SVI configuration for private vlans (other than listing the interface config)
!
SW03#
SW03#sh interfaces vlan 100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan100 101, 102
SW03#Ping testing to see how it all looks.
This is the command output right here:
- R01
- R02
- R03
- R04
- R05
- SW02 vid 100
- SW02 vid 101
- SW02 vid 102
- SW03
R01#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R01#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/20 ms
R01#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/28 ms
R01#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/23/48 ms
R01#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/16/32 ms
R01#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/11/16 ms
R01#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/12/20 ms
R01#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R01#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R01#R02#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/104/112 ms
R02#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R02#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/14/32 ms
R02#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R02#R03#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/70/72 ms
R03#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R03#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R03#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R03#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 48/65/72 ms
R03#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/11/12 ms
R03#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R03#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R03#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms
R03#R04#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/109/136 ms
R04#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R04#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/14/24 ms
R04#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R04#R05#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/20 ms
R05#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R05#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/32 ms
R05#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R05#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R05#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms
R05#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R05#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R05#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms
R05#SW02#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/9/12 ms
SW02#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/2/3 ms
SW02#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW02#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#SW02#p vrf 101 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 101 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW02#p vrf 101 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#SW02#p vrf 102 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/8/10 ms
SW02#p vrf 102 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/10 ms
SW02#p vrf 102 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#p vrf 102 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW02#SW03#ping 172.16.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/11 ms
SW03#ping 172.16.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/11 ms
SW03#ping 172.16.0.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/10/11 ms
SW03#ping 172.16.0.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/9/11 ms
SW03#ping 172.16.0.40
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.40, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/10/12 ms
SW03#ping 172.16.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW03#ping 172.16.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
SW03#ping 172.16.0.201
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.201, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW03#ping 172.16.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.202, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW03#The takeaway from the ping testing is directly related to how the traffic flows through the switch in the middle - SW02. When you use it to ping across from the vlan at hand - say, you take the isolated vlan (vid 101), you cannot ping anything but yourself. If you take the community vlan (vid 102), you will be able to ping everything that is in it. That is because the traffic does make it into the community vlan on the private vlan aware switches which allow the hosts to ping each other. The traffic does make into the private vlan aware switches on the isolated vlan too, but the hosts are not allowed to ping each other. You can also notice, that due to the fact that the mac is not learned from a private vlan port, although are able to inject the traffic in the correct vlan, it will not allow you to hop onto the primary vlan and have connectivity. Last, but not least, on the primary vlan (vid 100) you can ping everything within it, there are no limitations. Again, you cannot hop onto any secondary vlan, that is prohibited. The rest works as expected - primary vlan talks to everyone, community to itself and primary, and isolated only to the primary.