Vlan Tagging

IEEE 802.1Q (also known as VLAN Tagging) was a project in the IEEE 802 standards process to develop a mechanism to allow multiple bridged networks to transparently share the same physical network link without leakage of information between networks (i.e. trunking). IEEE 802.1Q is also the name of the standard issued by this process, and in common usage the name of the encapsulation protocol used to implement this mechanism over Ethernet networks.

802.1Q does not actually encapsulate the original frame. Instead, for Ethernet frames using Ethernet II framing, it sets the EtherType value in the Ethernet header to Tag Protocol ID (TPID) 0x8100, identifying this frame as an 802.1Q frame. It then inserts an extra two-bytes of Tag Control Information (TCI) after the TPID, followed by another two bytes containing the frame’s original EtherType. Together the four bytes of TPID and TCI are called the VLAN Tag.


The format of the TCI is

15:13

12

11:0

user_priority

CFI

VID

The User Priority is a 3-bit field storing the priority level for the frame. Use of this field is defined in IEEE 802.1p.

The Canonical format indicator (CFI): a 1-bit indicator that is always set to zero for Ethernet switches. CFI is used for compatibility between Ethernet and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be bridged to an untagged port.

VLAN ID (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn’t belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. A value of hex FFF is reserved for implementation use. All other values may be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges, VLAN 1 is often reserved for management.

For frames using IEEE 802.2/SNAP encapsulation with an OUI field of 00-00-00 (so that the protocol ID field in the SNAP header is an EtherType), as would be the case on LANs other than Ethernet, the EtherType value in the SNAP header is set to hex 8100 and the aforementioned extra 4 bytes are appended after the SNAP header.

Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer. It also increases the maximum frame size by 4 bytes.

Double-tagging can be useful for Internet Service Providers, allowing them to use VLANs internally while mixing traffic from clients that is already VLAN-tagged. The outer tag comes first, followed by the inner tag. In such cases, an alternate TPID such as hex 9100, or even 9200 or 9300, sometimes may be used for the outer tag; however this is being deprecated by 802.1ad, which specifies 88a8 for service-provider outer tags. Triple-tagging is also possible.

http://tinyurl.com/4o6jha

Configuring an IEEE 802.1Q Tunneling Port

Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port:


Step

Command

Purpose

1

configure terminal

Enter global configuration mode.

2

interface interface-id

Enter interface configuration mode for the interface to be configured as a tunnel port. This should be the edge port in the service-provider network that connects to the customer switch. Valid interfaces include physical interfaces and port-channel logical interfaces (port channels 1 to 48).

3

switchport access vlan vlan-id

Specify the default VLAN, which is used if the interface stops trunking. This VLAN ID is specific to the particular customer.

4

switchport mode dot1q-tunnel

Set the interface as an IEEE 802.1Q tunnel port.

5

exit

Return to global configuration mode.

6

vlan dot1q tag native

(Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.

7

end

Return to privileged EXEC mode.

Example:

Vtag

Sw3#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw3(config)#vtp mode transparent

Device mode already VTP TRANSPARENT.

Sw3(config)#vlan 666

Sw3(config-vlan)#name Transport-VLAN

Sw3(config-vlan)#exit

Sw3(config)#int range f0/21 – 22

Sw3(config-if-range)#sh

Sw3(config-if-range)#switchport mode dot1q-tunnel

Sw3(config-if-range)#switchport access vlan 666

Sw3(config-if-range)#no sh

Sw3(config-if-range)#exit

Sw3(config)#system mtu 1504

Sw3(config)#int range f0/19 – 20

Sw3(config-if-range)#sw tr en do

Sw3(config-if-range)#sw mo tr

Sw3(config-if-range)#exit

Sw4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw4(config)#vlan 666

Sw4(config-vlan)#name Transport-VLAN

Sw4(config)#int range f0/19 – 20

Sw4(config-if-range)#sw tr en do

Sw4(config-if-range)#sw mo tr

Sw4(config-if-range)#exit

Sw4(config)#int range f0/21 – 22

Sw4(config-if-range)#sw mo do

Sw4(config-if-range)#sw a vlan 666

Sw4(config-if-range)#exit

Sw4(config)#vtp mode tra

Setting device to VTP TRANSPARENT mode.

Sw4(config)#system mtu 1504

Sw4(config)#do show int trunk

Port Mode Encapsulation Status Native vlan

Fa0/19 on 802.1q trunking 1

Fa0/20 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/19 1-4094

Fa0/20 1-4094

Port Vlans allowed and active in management domain

Fa0/19 1,666

Fa0/20 1,666

Port Vlans in spanning tree forwarding state and not pruned

Fa0/19 1,666

Fa0/20 1,666

Sw4(config)#do show int f0/21 sw

Name: Fa0/21

Switchport: Enabled

Administrative Mode: tunnel

Operational Mode: tunnel

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 666 (VLAN0666)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Sw4(config)#

Sw1(config-if)#int po 1

Sw1(config-if)#no sw

Sw1(config-if)#ip add 122.1.78.7 255.255.255.0

Sw1(config-if)#int range f0/21 – 22

Sw1(config-if-range)#no sw

Sw1(config-if-range)#channel-group 1 mode on

Sw2#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw2(config)#int range f0/21 – 22

Sw2(config-if-range)#exit

Sw2(config)#int po1

Sw2(config-if)#no sw

Sw2(config-if)#ip add 122.1.78.8 255.255.255.0

Sw2(config-if)#no sh

Sw2(config-if)#exit

Sw2(config)#int range f0/21 – 22

Sw2(config-if-range)#no sw

Sw2(config-if-range)#channel-group 1 mode on

Verification:

Sw2#ping 122.1.78.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 122.1.78.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Sw2#


A Networker Blog

How to Configure a Switch Cluster Member

We are going to configure Sw1, Sw2, Sw3 and Sw4 in a switch cluster named HOWCOOL.

Cluster

In this topology

  • Sw1 would be the commander.
  • Sw2,Sw3 andSw4 are going to be members of the switch cluster
Sw1#show ver | in MAC
Base ethernet MAC Address       : 00:19:06:60:AC:00
Sw1#
Sw2#show ver | in MAC
Base ethernet MAC Address       : 00:19:E7:77:10:80
Sw2#
Sw3#show ver | in MAC
Base ethernet MAC Address       : 00:19:AA:C9:33:00
Sw3#
Sw4#show ver | in MAC
Base ethernet MAC Address       : 00:19:AA:C9:34:80
Sw1(config)#cluster enable HOWCOOL
Sw1#show run | in cluster
cluster enable HOWCOOL 0
cluster member 1 mac-address 0019.e777.1080
cluster member 2 mac-address 0019.aac9.3300
cluster member 3 mac-address 0019.aac9.3480
Sw1(config)#do show cluster
Command switch for cluster "HOWCOOL"
Total number of members:        4
Status:                         0 members are unreachable
Time since last status change:  0 days, 0 hours, 0 minutes
Redundancy:                     Disabled
Heartbeat interval:             8
Heartbeat hold-time:            80
Extended discovery hop count:
Sw2#show run | in member
cluster commander-address 0019.0660.ac00 member 1 name HOWCOOL vlan 1
Sw2#
Sw3#show run | in member
cluster commander-address 0019.0660.ac00 member 2 name HOWCOOL vlan 1
Sw4#show run | in memb
cluster commander-address 0019.0660.ac00 member 3 name HOWCOOL vlan 1

You can configure cluster member switches from the CLI by first logging into the cluster command switch. Enter the rcommand user EXEC command and the cluster member switch number to start a Telnet session (through a console or Telnet connection) and to access the cluster member switch CLI. The command mode changes, and the Cisco IOS commands operate as usual. Enter the exit privileged EXEC command on the cluster member switch to return to the command-switch CLI.

Verification:

Sw1#rcommand 3
Sw4#exit
Sw1#

If you do not know the member-switch number, enter the show cluster members privileged EXEC command on the cluster command switch. For more information about the rcommand command and all other cluster commands, see the switch command reference.

Sw1#show cluster members
|---Upstream---|
SN MAC Address    Name         PortIf FEC Hops   SN PortIf  FEC  State
0  0019.0660.ac00 Sw1                       0                     Up   (Cmdr)
1  0019.e777.1080 Sw2          Fa0/20       1     0  Fa0/20       Up
2  0019.aac9.3300 Sw3          Fa0/22       1     0  Fa0/22       Up
3  0019.aac9.3480 Sw4          Fa0/8        1     0  Fa0/8        Up

A Networker Blog

MPLS TE Aff y Att.

la Distribución de la información es el proceso mediante el cual el router, conoce la Red y de sus recursos disponibles-

Luego el Router Calcula el Camino y Setup esto con el fin de construir el Tunnel TE mediante el uso de algun IGP link State.

Una ves definido el camino a seleccionar, el router debe emplear técnicas como Auto Route Announce, PBR o rutas estáticas para enviar el trafico por el túnel. (Tener siempre en cuidado las métricas en caso de usar auto route announce)

Cada router en la red se identifica en la red MPLS mediante IGP y el uso de una loopback con un requerimiento de /32

Si Ejecutamos un debug de Publicaciones OSPF MPLS traffic Engineering, identificamos lo siguiente:

!! IDENTIFICACION DEL ROUTER EN LA RED MEDIANTE LSA TIPO 10..

00:42:10: OSPF: IGP update router node 4.4.4.4 fragment 0 with 1 links
00:42:10: TE Router ID 4.4.4.4
00:42:10: Link connected to Point-to-Point network
00:42:10: Link ID : 1.1.1.1
00:42:10: Interface Address : 1.1.14.4
00:42:10: Neighbor Address : 1.1.14.1
00:42:10: Admin Metric te: 64 igp: 64
00:42:10: Maximum bandwidth : 193000
00:42:10: Maximum reservable bandwidth : 0
00:42:10: Number of Priority : 8
00:42:10: Priority 0 : 0 Priority 1 : 0
00:42:10: Priority 2 : 0 Priority 3 : 0
00:42:10: Priority 4 : 0 Priority 5 : 0
00:42:10: Priority 6 : 0 Priority 7 : 0
00:42:10: Affinity Bit : 0x0

El proceso MPLS TE tiene que ser habilitado en todos los router en donde se desea que este participe en MPLS TE. Esto no tiene que se en todos los router en la red, típicamente en algunos o todos los routers en el core.

La forma de configurarlo en el router es usando el comando *mpls traffic-eng tunnels*, de manera global asi como en cada interface donde posiblemente el túnel TE pase por.

Se Recomienda no habilitarlo en interfaces que hacen cara contra los clientes, si se desea correr MPLS TE en una caja donde hay clientes conectados, solo habilite TE en las interfaces conectando a su red.

Una propiedad de MPLS Traffic Engeniering es poder controlar por donde los tunels cruzan, entre muchas una de ellas son los Flags de Atributos. este flag mide 32 bits y es configurado dentro de la interfaces

R1(config-if)#mpls traffic-eng attribute-flags ?
<0x0-0xFFFFFFFF> Attribute flags 0xFFFFFFFF == 11111111111111111111111111111111


Se pueden configurar los valores de los atributos como mejor se le parezca, por ejemplo se pueden decidir que un atributo en particular es una interface satelital, o por ejemplo una link con low delay

Por ejemplo

Supongamos que queremos levantar un túnel MPLS TE entre R1 y R3, siguiendo el camino construido por atributos 0x2 en este caso la configuración del túnel en R1 seria:

mpls4.jpg

Configuracion en R1:

interface Tunnel0
ip unnumbered Loopback0
tunnel destination 3.3.3.3
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng priority 5 5
tunnel mpls traffic-eng affinity 0x0 mask 0x2
tunnel mpls traffic-eng path-option 10 dynamic

Más de esto pronto.

A Networker Blog

BPDU Guard and Filter

 

“Use the spanning-tree portfast global configuration command to globally enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled interfaces, the BPDU guard feature on Port Fast-enabled interfaces, or the Port Fast feature on all nontrunking interfaces”

interface FastEthernet0/1
switchport  access vlan 12
switchport mode access
switchport  nonegotiate
spanning-tree portfast

At a device attached to that port enabled with portfast, a router in this case.

interface  FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex  auto
speed auto
Sw1#show spann int f0/1  deta
Port 3 (FastEthernet0/1) of VLAN0012 is forwarding
Port path cost  19, Port priority 128, Port Identifier 128.3.
Designated root has priority  32780, address 0019.067e.e200
Designated bridge has priority 32780,  address 0019.067e.e200
Designated port id is 128.3, designated path cost  0
Timers: message age 0, forward delay 0, hold 0
Number of  transitions to forwarding state: 1

The port is in the portfast mode

Link type is point-to-point by default
BPDU: sent 91864, received  0

Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent 91866, received  0

So no BPDU received, lets change this a little bit at the router.

R1(config)#bridge 1 protocol ieee
R1(config)#int  f0/0
R1(config-if)#bridge-group 1

Now at the switch we receive BPDUs

Sw1#show spann int f0/1 deta | in BPDU
BPDU: sent  91909, received 12

Lets look at the command to globally enable bridge protocol data unit (BPDU) filtering on Port Fast-enabled interfaces

Sw1(config)#spanning-tree portfast ?
bpdufilter  Enable  portfast bdpu filter on this switch
bpduguard   Enable portfast bpdu guard  on this switch
default     Enable portfast by default on all access  ports

The BPDU filtering feature prevents the switch interface from sending or receiving BPDUs.

The BPDU guard feature puts Port Fast-enabled interfaces that receive BPDUs in an error-disabled state.

The switch has sent and received BPDU as expected

Sw1#show spann int f0/1 deta
Port 3 (FastEthernet0/1) of  VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.3.
Designated root has priority 32768, address  0015.622f.5e98
Designated bridge has priority 32768, address  0015.622f.5e98
Designated port id is 128.4, designated path cost 0
Timers: message age 2, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
Link type is point-to-point by default
!Here
BPDU:  sent 91909, received 81

Lets  then configure bpduguard default globally.

I am shutting down the interface at the router, just to get a Syslog message from the Switch, when he receives a BPDU

Sw1(config)#spanning-tree portfast bpduguard  default

This command globally enables  BPDU guard  on all Port Fast interfaces and place the interfaces that receive BPDUs in an error-disabled state.

Sw1(config)#default int f0/1
Interface FastEthernet0/1  set to default configuration
Sw1(config)#int f0/1
Sw1(config-if)#sw  host
switchport mode will be set to access
spanning-tree portfast will be  enabled
channel group will be disabled

Sw1(config-if)#do show run int  f0/1
Building configuration...
Current configuration : 81  bytes
!
interface FastEthernet0/1
switchport mode  access
spanning-tree portfast
end

Now if we turn the interface at the router back on

R1(config-if)#no  sh
R1(config-if)#

As soon as the switch receives a BPDU, the interface will be blocked in error-disabled state.,

%SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/1 with BPDU
Guard enabled.Disabling port.

The port will now be in err-disable

Sw1(config-if)#do show int f0/1 | in err-di
FastEthernet0/1 is  down, line protocol is down (err-disabled)

To return it back to the operational mode, we can shut down the port in err-disabled state and turn it back on, or  we can use the Sw1(config)#errdisable recovery cause bpduguard

Let do other test in other port configured as port fast, f0/2 on Sw1 connected to R2

Sw1(config)#do show spann int f0/2 de
Port 4 (FastEthernet0/2) of  VLAN0012 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32780, address  0019.067e.e200
Designated bridge has priority 32780, address  0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
The port is in the portfast mode
Link type is  point-to-point by default
!
Bpdu guard is enabled by default
!
BPDU:  sent 92589, received 0
Sw1(config)#do show spann int f0/2 de | in BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de | in  BPDU
BPDU: sent 92591, received 0
Sw1(config)#do show spann int f0/2 de  | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show spann int  f0/2 de | in BPDU
BPDU: sent 92592, received 0
Sw1(config)#do show  spann int f0/2 de | in BPDU
BPDU: sent 92593, received  0
Sw1(config)#

The switch is sending BPDU out that interface (0/2) that has connected just a host (end stations) device, we are not receiving or supposed not to receive BPDU from Host in the network

Now with the bpdufilter default option feature  is used to globally enable BPDU filtering on all Port Fast-enabled interfaces and this prevent the switch interfaces connected to end stations from sending or receiving BPDUs.

Sw1(config)#spanning-tree portfast  bpdufilter default

No BPDU are now sent out from interfaces configured with portfast

Sw1(config)#do show spann int f0/2 de | in  BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show spann int  f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do show  spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0
Sw1(config)#do  show spann int f0/2 de | in BPDU
BPDU: sent 92624, received  0
Sw1(config)#!1seg
Sw1(config)#!2seg
Sw1(config)#!3Seg
Sw1(config)#do  show spann int f0/2 de | in BPDU
BPDU: sent 92624, received 0

spanning-tree portfast bpdufilter  global configuration command enables BPDU filtering on interfaces that are Port Fast-enabled (the interfaces are in a Port Fast-operational state).

The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs.

You should globally enable BPDU filtering on a switch so that hosts connected to switch interfaces do not receive BPDUs.

If a BPDU is received on a Port Fast-enabled interface, the interface loses its Port Fast-operational status and BPDU filtering is disabled.

You can override the spanning-tree portfast bpdufilter default global configuration command by using the spanning-tree bdpufilter interface configuration command.

Sw1(config)#no spanning-tree portfast bpduguard  default
Sw1(config)#do show span int f0/2
Vlan             Role Sts  Cost      Prio.Nbr Type
---------------- ---- --- --------- --------  --------------------------------
VLAN0001         Desg FWD 19        128.4     Edge P2p

Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2) of  VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32769, address  0019.067e.e200
Designated bridge has priority 32769, address  0019.067e.e200
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
The port is in the portfast mode   ---- LOOK HERE
Link type is  point-to-point by default
Bpdu filter is enabled ---- LOOK HERE

BPDU:  sent 11, received 0
Sw1(config)#do show span int f0/2 de | in BPDU
BPDU: sent 11, received 0
Sw1(config)#do show span int f0/2 de | in  BPDU
BPDU: sent 11, received 0
Sw1(config)#

The switch is configured for port fast in that port “ The port is in the portfast mode “ and is Sending 11, received 0, no BPDU beeing sent and no BPDUs received in the port, lets test this by sending a BPDU from a Router directrly attached to port f0/2, which was enabled for Port Fast.

R2(config-if)#bridge-group  1

[Sw1 … ]

Sw1(config)#do  show span int f0/2 de | in BPDU
BPDU: sent 11, received  2

Sw1(config)#do show span int f0/2 de
Port 4 (FastEthernet0/2)  of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port  Identifier 128.4.
Designated root has priority 32768, address  0015.2bad.62d0
Designated bridge has priority 32768, address  0015.2bad.62d0
Designated port id is 128.4, designated path cost 0
Timers: message age 1, forward delay 0, hold 0
Number of transitions to  forwarding state: 1
Link type is point-to-point by default
BPDU:  sent 11, received 4
Sw1(config)#

We can see now that with this interface configuration command, if a BPDU is received, then the port losses this port fast capabilities ..

A Networker Blog

Cisco Private Vlans

What is a private Vlan??

Well the thing is composed as follows:

Primary VLAN: acts like the normal VLAN that we are used to.

secondary VLAN: defines basic rules for the ports that are associated with it. The mapping between the ‘primary VLAN’ and the ‘secondary VLAN’ is what a ‘PVLAN’ is.

Types of ports:

Promiscuous: forward primary and secondary VLAN traffic.

Isolated can only communicate with promiscuous ports that are mapped to the secondary VLAN.

Community can communicate with any other ports in the same secondary VLAN. Also they can communicate with promiscuous ports mapped to the secondary VLAN as well.

More information at Cisco

So having this configuration as the base line

R1 — R2 — R3 connected to Sw1

Lets assume that R1, R3 and R4 are just host in the network.

Show cdp neigh from Sw1 to give a clear picture of the topology, just in case in comes mess up

NLISw1#show cdp neigh
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R4 Fas 0/4 152 R S I 2811 Fas 0/0
R3 Fas 0/3 145 R S I 2811 Fas 0/0
R1 Fas 0/1 74 R S I 2811 Fas 0/0
NLISw1#

So we have basic reachability here in this network, every host in the same vlan

R3(config)#exit
R3#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:

*Jun 2 10:01:46.031: %SYS-5-CONFIG_I: Configured from console by console.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#
R3#
R3#
R3#ping 10.10.255.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#

Now what happens if you are hosting those “R3 & R4″ to a customer in that particular Addresing (a public one” and you need to provide isolation between this 2 devices..
Remmember the addressing recomendation per vlan, well you will need then to use new addressing, so at the end Private Vlan can be also included into CIDR and NAT considerations, lol 😀
Something that I have been digging about the relationship between Protected Ports and Private Vlan is that Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs, which I consider is the difference with protected ports “NLISw1(config-if)#switchport protected”

the cook list from the link above:

1:
Set VTP mode to transparent
Switch(config)# vtp mode transparent

Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

NLISw1(config)#vlan 3000
NLISw1(config-vlan)#exit
% Failed to create VLANs 3000
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.

NLISw1(config)#
00:05:49: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 3000: extended VLAN(s) not allowed in current VTP mode

more about this at, so that is what I think is like the main reason is the way Vlan Default Configuration works and the Extended Systems ID in the Current VTP Mode.

Anyways the switch is decent enough to tell you that..NLISw1(config-vlan)#private-vlan isolated
%Private VLANs can only be configured when VTP is in transparent mode.

Basic command
NLISw1(config)#vlan 20
NLISw1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN

step 2:

Taking part of the the main configuration you can find in search engines.

!!!Create the secondary VLANs
!!!Switch(config)# vlan 10
!!!Swtich(config-vlan)# private-vlan community
!!!Swtich(config-vlan)# vlan 20
!!!Swtich(config-vlan)# private-vlan isolated

step 3:
!!!Create the primary VLAN associate the secondary VLANs
!!!Switch(config)# vlan 100
!!!Swtich(config-vlan)# private vlan primary
!!!Swtich(config-vlan)# private-vlan association 10,20

so the configuration in the switch

NLISw1(config-if)#vlan 100
NLISw1(config-vlan)#priva pri
NLISw1(config-vlan)#pri as 10,20
NLISw1(config-vlan)#exit

to associate the ports this configuration commands:

NLISw1(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association

NLISw1(config-if)#switchport private-vlan host-association 100 ?
<1006-4094> Secondary extended range VLAN ID of the private VLAN host port
association
<2-1001> Secondary normal range VLAN ID of the private VLAN host port
association

so the Commands are:

NLISw1(config-if)#int f0/3
NLISw1(config-if)#switchport private-vlan host-association 100 20
NLISw1(config-if)#int f0/4
NLISw1(config-if)#switchport private-vlan host-association 100 10

!!!Configure the promiscuous port
!!!Switch(config)# interface fastethernet 2/1
!!!Switch(config-if)# switchport mode private-vlan promiscuous
!!!Switch(config-if)# switchport private-vlan mapping 100 10,20

NLISw1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous
port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous
port mapping

NLISw1(config-if)#interface F0/1
NLISw1(config-if)#switchport private-vlan mapping 100 add 10,20

NLISw1(config-if)#do show vlan private

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1
100 20 isolated Fa0/1, Fa0/3

NLISw1(config-if)#int range f0/3 – 4
NLISw1(config-if-range)#switchport private-vlan host-association 100 10
NLISw1(config-if-range)#
rack10>4
[Resuming connection 4 to R4 … ]

R4#ping 10.10.255.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#
R4#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#

interface FastEthernet0/3
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end

NLISw1(config-if-range)#do show run int f0/4
Building configuration…

Current configuration : 117 bytes
!
interface FastEthernet0/4
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end

NLISw1(config-if-range)#do show vlan priva

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1, Fa0/3, Fa0/4
100 20 isolated Fa0/1

NLISw1(config-if-range)#

Now,

NLISw1(config-if)#interface FastEthernet0/3
NLISw1(config-if)# switchport private-vlan host-association 100 20
NLISw1(config-if)#do show run int f0/3
Building configuration…

Current configuration : 117 bytes
!
interface FastEthernet0/3
switchport private-vlan host-association 100 20
switchport mode private-vlan host
end

NLISw1(config-if)#do show vlan priva

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1, Fa0/4
100 20 isolated Fa0/1, Fa0/3

so from R3 now

R3#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 10.10.255.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R3#ping 10.10.255.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#

So up to here Vlan 10 is a community vlan, Vlan 20 is an isolated vlan
and we have it assigned to port f0/3 as Isolated and f0/4 as community
and port f0/1 is configured to be a promiscous port, if you want to make this comparation like in a data center, you can think that R3 is a host from Customer A and R4 is for Customer B R1 would be then the Gateway from that POP.

A Networker Blog