Wednesday 1 August 2012

CCIE Study - Setting a Schedule

When you're thinking about whether or not you want to chase after the CCIE, if you're serious you are going to have to put a schedule and plan together.

The reason for the plan is important, first of all you need to be realistic in how much effort it is really going to take to get over the line.  You could be one of the few that from start to finish get their digits in a short period of time, but more likely it will take somewhere between 1 and 2 years (or even longer since there's no real time limit provided your written exam is still current when you are ready to face the lab) it doesn't necessarily mean you have to be a complete hermit but there will definitely be some commitment and sacrifices made by you (and your family and friends) for you to succeed.  Part of starting the schedule is to get the buy in and support from your loved ones early in the piece, it's better to work out whether its going to be achievable before you start things off than get part way through and realise all that sacrifice was for naught (well it wouldn't be wasted because surely you would have picked up quite a bit of knowledge and expertise you may not have already had....)

The other part of the plan is if you are paying for it yourself (or if you are fortunate enough to have your work supporting you) its a good idea to line up when you may need to spend your cash - if you do the hard work in putting a schedule together even if it slips, you can at least track where you are, where you will end up and start saving up money (or lining up that request to your manager) this is important because as you embark on your journey, rather than buying everything up front, this gives you the option to adapt to the situation (or if for whatever reason you need to stop your studies, you don't have unused equipment or workbooks sitting around collecting dust)

What actually goes into a schedule? This isn't exactly what I used myself but it is a close approximation, it's listed as a starting point, how much space between each milestone is fairly flexible because everyone is different in their starting experience and capabilities and time that they have available to study (and financial resources) each milestone will have a number of sub tasks that I'm not going to go into detail here but examples may include blueprint topics, or individual workbook labs.  It's important to see how far you have to go but importantly you should celebrate how far you have come as well.

Milestone one is to pass the CCIE Written Exam.  While there is a good amount of blueprint overlap between the written and lab, tentatively it's good to get this out of the way first and then focus all your studies on the lab.  Some people suggest that if you're ready for the lab, you can hammer the written and while this should be true, the reality is you cant login to the CCIE portal and see what slots are available to take for the lab (tentatively scheduling that, especially if you are thinking of taking some vacation time prior to the lab)

Milestone two varies but if you have decided on a training vendor and have determined your plan on lab resources (something I plan to write about in a next post) it may achieved be completing an initial workbook twice.  The reason I say twice is usually the first time round you will be learning more about how the features actually work which can be quite arduous and length and may require quite a bit of solution guide validation (maybe getting there is milestone 2A) the second time round you should have quite a good understanding of those technologies and can go through the workbook again more efficiently and understand the behavour (perhaps this is then milestone 2B)

[Optional] Milestone three may be where you are ready to attend a bootcamp, this particular milestone may be reordered (or possibly repeated depending on the training vendor) however I would recommend hitting the bootcamp with a reasonable understanding of the technologies across the blueprint.  Most bootcamps wont be able to hit every part of the blueprint but most instructors are able to help you out in your problem areas but more importantly if you have been studying on your own networking with real people that are on the CCIE train as well can be very inspiring and invigorating if the shine of chasing those digits is wearing off.

Milestone four will be completing an advanced vendor workbook - generally these workbooks are somewhat similar in complexity and duration as the real lab.  Besides getting used to the types of topics, you will be focusing on your reading comprehension as well as speed and accuracy.

[Optional] Milestone five would be doing a graded mock lab.  There are several vendors around, some are closer in experience to the actual lab exam than others but pretty much any mock lab is good in that it puts you under pressure in a slightly unfamiliar environment

[Optional] Milestone six may be another bootcamp visit (some training vendors give free reseats, or if the time table of the available bootcamps don't tie up with your own schedule this may be your first visit)  If this is a revisit, it should be seen as a re-enforcement that you have addressed your previous weaknesses and hopefully some validation that you are ready to face the lab

Milestone seven would be doing (another?) graded mock lab.  Certainly don't repeat an existing lab but use this as a method for verifying you have your speed and accuracy under control and that you are really reading the questions.  If you didn't do as well in the previous mock lab, you should be aiming for a higher level of success here.

Milestone eight would be facing the lab itself, should you not get over the line, tentatively looping back to milestone six or seven may be worthwhile.  Take time to refocus, re-energise and remember why you wanted to face the lab, although there are quite a few success stories of people passing the first time round, there are many more than require more than one shot to get their digits.

The optional steps are purely that, not everyone needs or has the funding (and time) available for bootcamps, in some countries the number of bootcamp options are minimal or non-existent, so you need to factor in international travel costs as well, I understand that there are a number of online bootcamps and while I am sure they are very useful, I have to personally say I got a lot of value in being in a classroom with fellow students and an instructor without the other sort of interruptions you may have if you're online from home (or work)

Perhaps these thoughts can be used by potential CCIE candidates in working out what they need to do to get over the line in terms of how they may face the lab and get their numbers, certainly do more research into what others needed to go to get over the line and work out what may be appropriate for you.  It's worth putting in a few weeks of research up front and be as well informed as to what you need to do rather than change your mind on things part way through.

In a future post I'll give my thoughts about selecting a training vendor (or vendors) and lab equipment.

Sunday 22 July 2012

CCIE Study Material Review - Pro2Expert

I've been starting to catch up on some parts of my life that were put on hold while the CCIE studies were in full swing, so postings here will continue just rather sporadically.

A few weeks before I attempted my lab exam, Greg Chisholm (CCIE #29271) gave me a complimentary copy of his Pro2Expert CCIE study and strategy guide to review.  The main audience for this document is someone that has completed or near completion of their CCNP (the Pro) and is considering heading towards the CCIE (the Expert).  It is also tentatively pitched at those that have attempted the CCIE lab exam but have not come up trumps and are wanting to find an alternate focus.

While this document does have a reasonable amount of technical content, it's probably more focused on CCNPs that are wanting to look at an intermediate step before going all in for the depth of knowledge that will be required for face off for the lab exam, I guess the thinking here is that if this is either stuff you know like the back of your hand or at least doesn't overwhelm you, then maybe you're in a position to start developing your studies.

While the technical content was reasonable, to me personally and most likely those that have faced the expensive lunch already, what's there is rather shallow.  In each of the technical chapers, Greg includes a "--More--" section which provides more references to go into to grasp a more detailed understanding.

My favourite part of the document though was the writing style, it felt very conversational in style and personal because Greg was able to leverage his own experiences in sitting the lab exam multiple times, dealing with blueprint changes and finally getting over the line.  It was good to be able to read his story, draw some inspiration but more importantly gain some extra thoughts and clarification on workflow optimisations where if you start on these early on into your studies, you can more easily avoid fat-fingered mistakes when you are feeling pressure, some of these things may seem straightforward and obvious but in my own case I definitely picked up a few tips that I should have been aware of much earlier.

Early on in the document there is a section describing how to select components to build your own lab environment and do things such as connecting servers to test things like netflow, snmp, http etc which is adequate for self directed study, however I personally would have thought that there could be some value in including a selection on why you may select a CCIE workbook training vendor and what kind of features (e.g. community, reputation, topology size, errata on material etc.) may be used to help select the vendor and then help select what you may do for lab practice (build a lab, rent time on a lab, do simulation or some combination of the lot)  personally I think that this is something worth dwelling upon particularly if you coming from a CCNP looking at going for the CCIE because part of your study plan will be putting together a timetable of equipment/services and working out when and where you have to spend your money, whether this is sponsored by your employer or yourself you need to budget time and money.    Please note has Greg has told me this is an area he plans to address in a future iteration of the document.  I will endeavour to update this review once this occurs but if this topic is of interest - I suggest you get in contact with Greg directly

For those that have not faced the CCIE R&S Written Exam yet,  you will not currently see anything specific about this exam, however to be fair the CCIE R&S Version 4 Certification Guide is probably a better resource on facing this exam.  Greg did mention that he plans to provide a write up on the written exam once he recertifies his CCIE as he prefers to be more specific than give generalised tips on something he faced quite some time back.

Pro2Expert arrives on a a watermarked PDF that is just over 560 pages in length.  I didn't attempt to print it out, however it did work fine on my Amazon Kindle.  The document does not touch every aspect on the CCIE R&S Blueprint.

The introductory price for Greg's Pro2Expert document is $US90 and may increase at a later date.  I received my copy for free in exchange for providing this review, Greg was more than happy for me to review the document in any way that I wanted and in areas I thought may need further development he took those thoughts into serious consideration.

Final thoughts:  In comparison to most of CCIE related study material which tends to focus directly on the technical side of things which of course is extremely important - this guide's greatest strengths to me at least is the human side and the workflow aspects.  If you are considering going for the CCIE, this guide may be a worthwhile investment before on embarking on a long, tentatively expensive but educational journey.  If you have faced the lab on multiple occasions and are at your wits end on where to go further and don't think the problems you are facing are technical in nature, perhaps you can draw inspiration from Greg's words but at this point in time I'm unsure that this will be what's needed to give you that extra push.

Thursday 12 July 2012

My CCIE Journey

It's taken a bit longer to get to this point than I had originally planned when I started on this journey but I'm glad to be here.

Tuesday, July 10 2012 was my fifth attempt at the CCIE R&S Lab.  The day started well enough, the Sydney lab is pretty good and the proctor is a friendly enough guy (having been there quite a few times, he recognised me but thankfully I hadn't been there enough that he recalled my name!)

When the troubleshooting section commenced I was able to address the easier tickets in relatively short order, however the three pointers took considerably longer but were not impossible (it actually ended up being one of those issues where it was staring me in the face but it took a bit of time to realise it) and ended up closing them out with about 10 minutes left on the clock giving ample time to go to the front and validate that they were still resolved and within the confines of the restrictions.

Each of my lab attempts displayed improvement in my troubleshooting skills (my first attempt resulted in me getting steamrolled in TS, the second attempt I was much better but with plenty of room for improvement, and the third I missed passing by what seemed one ticket, finally passing TS in the fourth attempt) this time round it felt like I had solidly addressed all faults, so I was able to proceed into configuration with a fair amount of confidence.

The Configuration component was traditionally an area I did well in - except for attempt number 4 where I just couldn't quite get my groove on and fell apart - this was quite unfortunate since this happened to be the first time I got through TS.  Fortunately this time around I was able to enter "the zone"  relatively quickly and get my layer 2 sorted out and get most of the IGP config complete before lunch.  The coke I drank at lunch much have given me enough of a jolt to blast through the BGP, services and other config pieces to result in a reasonable amount of verification time to spare, which was fortunate, my tcl and ping macros helped pick up a few simple but potentially costly mistakes and extra validation of various config components highlighted a number of minor corrections that I needed to make.

I left the lab location feeling quietly confident and after flying home, waiting in my inbox was that email with the subject "CCIE Lab Score Report".  I rushed to the website was very pleased to the see the "PASS" and an allocation of a number on that very 90's style webpage, resulting in a happy conclusion to this journey.

I made use of material from IPExpert (Video on Demand, Workbook Volume 1 and 3) , Internet Expert (Audio Bootcamp and Mocklabs) and Micronics training (Narbik's famous bootcamp and troubleshooting workbook) each has a slightly different way of building your expertise and understanding which can be helpful if you are having problems in grasping a specific concept. All are high quality products from top class vendors with good support from the people within the organisations.

I also did a number of the Cisco360 Mocklabs and found their TS scenarios were commensurate with the lab environment with a roughly equivalent topology and level of faults though sometimes I found the configuration labs sometimes easier or of similar difficulty to the actual lab.  Regardless of the vendor, any mock lab is good to ensure you've got the stamina and can work against the clock.

Mailing lists like Groupstudy, IPExpert's OSL and INE's IEOC Forum were very valuable in helping hone my knowledge and also reminding me that I'm not alone on what is pretty much a solo voyage. These resources are worth their weight in gold for inspiration and support.

Also, it must be said that while I was the one that passed the exam, it was only made possible thanks to the understanding and support of my wonderful wife which is something I am truly lucky and grateful for her being there and believing I can get there even though there were several faulty attempts.

Monday 25 June 2012

Private VLANs

One of the features the Catalyst 3560 has that the 3550 doesn't have is the capacity to support Private-Vlans.  Private-VLANs are a method to partition one broadcast domain into several by combining multiple VLANs into one.

There are three types of Private-VLAN VLAN constructs
1) The Primary VLAN of which the other two are associated with, the primary VLAN would typically be associated with the Gateway router for the Private-VLAN
2) Community VLANs - hosts associated with the same community VLAN are able to talk with each other but with no one else except for hosts on the Primary VLAN
3) Isolated VLANs - hosts even on the same isolated VLAN are unable to talk with anyone except hosts on the Primary VLAN

Actually there is a form of the Isolated VLAN feature which is supported on platforms such as the 3550 which is enabled using "switchport protected" however this is local to one switch - this means in a multi-switch environment, your switchport protected ports can communicate with hosts that are on the same VLAN on other switches

This post will cover a multi-switch private VLAN configuration as shown in the topology diagram

Private-VLANs can only work when the Switch is set to VTP transparent mode.

This exercise will be using 4 VLANs
  1. VLAN 100 - Primary
  2. VLAN 200 - Isolated
  3. VLAN 300 - Community
  4. VLAN 400 - Community
Although VLAN 300 and 400 are of the same type, since they aren't in the same community they wont be able to talk to each other.  This kind of flexibility is useful in hosting environments where you want to manage your IP subnet across multiple customers but still ensure security between them without needing unwieldy ACLs to control it.

Before we get to the PVLAN config section, lets quickly list the configs on our routers

R1
hostname R1
interface FastEthernet0/0
 ip address 10.1.100.1 255.255.255.0
 no shutdown
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!

R2
hostname R2
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.2 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R3
hostname R3
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.3 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R4
hostname R4
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.4 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R5
hostname R5
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.5 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R6
hostname R6
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.6 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

Our Switches are in their vanilla configurations (wr erase and del vlan.dat before reloading) so we we need to configure them from scratch.

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW1

Ensure that we're in vtp transparent mode 


SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

Now we create the VLANs that will be used in our private-vlan and specify the type

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#vlan 200
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 300
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 400
SW1(config-vlan)#private-vlan community

Let's check the configuration
 
SW1(config-vlan)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community





VLAN 400 is not shown - whenever vlan configuration is used, the current vlan configuration is not applied until you exit it (either by configuring another VLAN or exiting VLAN config mode)

SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community
        400       community

Now that the Private VLANs have been created, an association is required - we do this by selecting the primary vlan and then attaching the isolated/community VLANs to it

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan association 200,300,400
SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Let's set up the trunk between SW1 and SW2 and then apply the same PVLAN config to SW2

SW1(config)#int fa1/0/19
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW2
SW2(config)#int fa1/0/19
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-vlan)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#vlan 100
SW2(config-vlan)#private-vlan primary
SW2(config-vlan)#vlan 200
SW2(config-vlan)#private-vlan isolated
SW2(config-vlan)#vlan 300
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 400
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 100
SW2(config-vlan)#private-vlan association 200,300,400
SW2(config-vlan)#exit
SW2(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Before we associate switch interfaces with private-vlan configurations, by default all router facing ports will be in vlan 1, let's validate we have full connectivity.


R1
R1#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/261/1012 ms
R1#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/268/1056 ms
R1#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/260/1004 ms
R1#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/262/1016 ms
R1#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/264/1044 ms


R2
R2#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/10/24 ms
R2#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1996 ms
R2#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms
R2#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1988 ms
R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3
R3#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/405/2000 ms
R3#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms
R3#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R4
R4#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
R4#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1996 ms
R4#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/16 ms
R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

R5
R5#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R5#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R5#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1992 ms
R5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R6
R6#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R6#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms


Okay, so our baseline of full connectivity between hosts has been established, we can start applying the pvlan configurations to switchports.

SW1 Fa1/0/1 (R1) - Primary VLAN (100)
SW1 Fa1/0/2 (R2) - Isolated VLAN (200)
SW1 Fa1/0/3 (R3) - Community VLAN (300)

SW2 Fa1/0/4 (R4) - Isolated VLAN (200)
SW2 Fa1/0/5 (R5) - Community VLAN (300)
SW2 Fa1/0/6 (R6) - Community VLAN (400)

SW1(config)#int fa1/0/1

This is the promiscuous port for the private-vlan (all isolated/community VLANs of the private vlan can talk with this port)

SW1(config-if)#switchport mode private-vlan promiscuous

Attach the secondary vlans (200,300,400) to the primary vlan (100)

SW1(config-if)#switchport private-vlan association mapping 100 200,300,400

Now we configure the secondary vlan interfaces

SW1(config-if)#int fa1/0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 200

SW1(config-if)#int fa1/0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 300

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/1, Fa1/0/2
100     300       community         Fa1/0/1, Fa1/0/3
100     400       community         Fa1/0/1

On SW2 we only have secondary vlan interfaces

SW2(config)#int fa1/0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 200
SW2(config-if)#int fa1/0/5
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 300
SW2(config-if)#int fa1/0/6
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 400
SW2(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/4
100     300       community         Fa1/0/5
100     400       community         Fa1/0/6

Now to test

R1 should be able to ping R2/R3/R4/R5/R6 because it's the promiscuous port (SW1 Fa1/0/1)

R1>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R1>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
R1>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2 (SW1 Fa1/0/2) should only be able to ping R1 even though R4 (SW2 Fa1/0/4) is on the same secondary VLAN as this pvlan type is isolated neither will be able to communicate with each other

R2>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R2>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3 (SW1 Fa1/0/3) should be able to ping R1 and R5 (as they are in the same community pvlan)
R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4 (SW2 Fa1/0/4) like R2 should only be able to ping R1


R4>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R5 (SW2 Fa1/0/5) should be able to ping R1 and R3 (as they are in the same community pvlan)

R5>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms
R5>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R6 (SW2 Fa1/0/6) will only be able to ping R1 currently it is the only community pvlan (400) member

R6>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So we have seen how you can use Private VLANs to partition a broadcast domain / IP subnet into multiple domains for service/security separation.

While the promiscuous port has been shown to occur on a layer 2 interface, it is also able to happen on a switched virtual interface.

to demonstrate we'll first make a slight change to R1's configuration

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip add 10.100.100.1 255.255.255.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.100.100.100
R1(config)#end

Now we'll return SW1 Fa1/0/1 to act as a regular access port in vlan 10

SW1(config)#int fa1/0/1
SW1(config-if)#no switchport private-vlan mapping 100 200,300,400
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#switchport access vlan 10

We'll create our SVI for vlan 10

SW1(config-if)#int vlan 10
SW1(config-if)#ip add 10.100.100.100 255.255.255.0
SW1(config-if)#exit

now we'll enable routing and add the static route to 1.1.1.1

SW1(config)#ip routing
SW1(config)#ip route 1.1.1.1 255.255.255.255 10.100.100.1
SW1(config)#do ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Now we need to create the SVI for vlan 100 and create the private-vlan mapping

SW1(config)#int vlan 100
SW1(config-if)#ip add 10.1.100.1 255.255.255.0
SW1(config-if)#private-vlan mapping 200,300,400

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/2
100     300       community         Fa1/0/3
100     400       community



We cant see any reference to VLAN 100 here but there is an alternate way to see the mapping

SW1(config-if)#do sh int vlan 100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan100   200, 300, 400

We'll do a verification using R3 (Only hosts on VLAN 10, 100 and 300) should be reachable

R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/20 ms
R3>ping 10.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Using the Private VLAN on the SVI enables you to to use your switch as a routing gateway for your private vlans.