[TABS_R id=8782]
Which of the following statements is true regarding private VLANs? (Select the best answer.)
- Isolated ports can communicate only with other isolated ports in the same isolated VLAN.
- Only a single community VLAN can be associated with a primary VLAN.
- Community VLANs can send traffic to isolated ports but cannot receive traffic from them.
- Every port in a private VLAN is a member of the primary VLAN.
Explanation:
Every port in a private virtual LAN (VLAN) is a member of the primary virtual LAN (VLAN). Private VLANs can be configured on a switch to help isolate traffic and provide Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you must create one or more secondary VLANs and associate the secondary VLANs with the primary VLAN. There are two types of secondary VLANs: community VLANs and isolated VLANs.
When configuring a port to participate in a private VLAN, you must configure the port by issuing the switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to communicate with any secondary VLAN. Consequently, devices that should be reachable from any secondary VLAN should be connected to promiscuous ports. For example, a router, a firewall, or a gateway that any host should be able to reach should be connected to a promiscuous port. By contrast, devices connected to isolated or community VLANs should be connected to host ports, which are configured by using the host keyword.
You can configure a primary VLAN by issuing the privatevlan primary command, and you can configure secondary VLANs by issuing the privatevlan {isolated | community} command. Devices connected to a community VLAN can communicate with other devices on the community VLAN as well as with the primary VLAN. However, no devices on the community VLAN can communicate with a device that is connected to an isolated port.
Ports that belong to an isolated VLAN can communicate only with promiscuous ports. Any traffic received from isolated ports is forwarded only to promiscuous ports? thus isolated ports cannot communicate directly with each other.
[TABS_R id=8782]