6-6. Private VLANs
Configuring Private VLANsPrivate VLANs provide a mechanism to control which devices can communicate within a single subnet. The private VLAN uses isolated and community secondary VLANs to control how devices communicate. The secondary VLANs are assigned to the primary VLAN, and ports are assigned to the secondary VLANs. Ports in an isolated VLAN cannot communicate with any device in the VLAN other than the promiscuous port. Ports configured in a community VLAN can communicate with other ports in the same community and the promiscuous port. Ports in different communities cannot communicate with one another. To configure private VLANs, use the following steps.
Configuring Private Edge VLANsThe 3500XL switch uses the concept of a protected port to allow for control of traffic on the switch. A protected port on a 3500XL will not forward traffic to another protected port on the same switch. This behavior is similar to an isolated VLAN in that protected ports cannot communicate with one another. Use the following command to configure a protected port.
Verifying Private VLAN OperationAfter configuring private VLANs, use the following command to verify operation:
NOTE A number of guidelines and restrictions apply to private VLANs. For a complete list of these items, go to www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_2/confg_gd/vlans.htm#xtocid21. Feature ExampleFigure 6-5 shows the network diagram for a working private VLAN configuration example. In this example, the switch Access_1 is configured with ports 1 and 2 as protected ports both in VLAN 10. The VLAN 10 server on Distribution_1 is also in VLAN 10. This allows the PCs to connect to the server but not one another. Also on the distribution switch, private VLAN 90 has been created with a community VLAN 901 and an isolated VLAN 900. Server 2 in port 3/46 and Server 3 in port 3/48 are placed in the community VLAN, and servers connected to ports 3/1 and 3/2 are to be placed in the isolated VLAN. All these devices are mapped to the router connected to port 1/2 and the MSFC port 15/1 for interface VLAN 90. Figure 6-5. Network Diagram for Private VLAN ConfigurationAn example of the Catalyst OS configuration for Distribution_1 follows: Distribution_1 (enable)>set vtp mode transparent Distribution_1 (enable)>set vlan 90 pvlan-type primary Distribution_1 (enable)>set vlan 900 pvlan-type isolated Distribution_1 (enable)>set vlan 901 pvlan-type community Distribution_1 (enable)>set pvlan 90 900 Distribution_1 (enable)>set pvlan 90 901 Distribution_1 (enable)>set pvlan 90 900 3/1-2 Distribution_1 (enable)>set pvlan 90 901 3/46,3/48 Distribution_1 (enable)>set pvlan mapping 90 900 1/2,15/1 Distribution_1 (enable)>set pvlan mapping 90 901 1/2,15/1 Distribution_1 (enable)>session 15 MSFC_Dist1>enable MSFC_Dist1#config t MSFC_Dist1(config)#interface vlan 90 MSFC_Dist1(config-if)#ip address 10.10.90.1 255.255.255.0 MSFC_Dist1(config-if)#no shut MSFC_Dist1(config-if)#end MSFC_Dist1#copy running-config startup-config An example of the Supervisor IOS configuration for Distribution_1 follows: Distribution_1#vlan database Distribution_1(vlan)#vtp transparent Distribution_1(vlan)#exit Distribution_1#conf t Distribution_1(config)#vlan 90 Distribution_1(config-vlan)#private-vlan primary Distribution_1(config-vlan)#vlan 900 Distribution_1(config-vlan)#private-vlan isolated Distribution_1(config-vlan)#vlan 901 Distribution_1(config-vlan)#private-vlan community Distribution_1(config-vlan)#vlan 90 Distribution_1(config-vlan)#private-vlan association 900,901 Distribution_1(config-vlan)#interface range fastethernet 3/1 - 2 Distribution_1(config-if)#switchport Distribution_1(config-if)#switchport mode private-vlan host Distribution_1(config-if)#switchport mode private-vlan host-association 90 900 Distribution_1(config-if)#no shut Distribution_1(config-if)#interface range fastethernet 3/46 , 3/48 Distribution_1(config-if)#switchport Distribution_1(config-if)#switchport mode private-vlan host Distribution_1(config-if)#switchport mode private-vlan host-association 90 901 Distribution_1(config-if)#no shut Distribution_1(config-if)#interface gigabitethernet 1/2 Distribution_1(config-if)#switchport Distribution_1(config-if)#switchport mode private-vlan promiscuous Distribution_1(config-if)#switchport mode private-vlan mapping 90 900,901 Distribution_1(config-if)#no shut Distribution_1(config-vif)#interface vlan 90 Distribution_1(config-if)#ip address 10.10.90.1 255.255.255.0 Distribution_1(config-if)#private-vlan mapping 90 900,901 Distribution_1(config-if)#no shut Distribution_1(config-if)#end Distribution_1 #copy running-config startup-config An example of the Layer 2 IOS configuration for Access_1 follows: Access_1 #config t Access_1 (config)#interface fastethernet 0/1 Access_1 (config-if)#switchport access vlan 10 Access_1 (config-if)#port protected Access_1 (config)#interface fastethernet 0/2 Access_1 (config-if)#switchport access vlan 10 Access_1 (config-if)#port protected Access_1 (config)#interface gigabitethernet 0/1 Access_1 (config-if)#switchport mode trunk Access_1 (config-if)#switchport trunk encapsulation dot1Q Access_1 (config-if)#end Access_1#copy running-config startup-config |