Private VLAN configuration could be tricky:
A Private VLAN environment consist of a few VLANs:
- Primary VLAN
- Secondary VLAN
- Community VLAN
- Isolated VLAN
Every Secondary VLAN will be associated to a primary VLAN. Every primary VLAN can exist of multiple community VLANs but only 1 isolated VLAN.
Hosts in a community VLAN can layer 2 communicate within the community VLAN + promiscuous ports of the primary VLAN
Hosts in a isolated VLAN can layer 2 communicated only to promiscuous ports of the primary VLAN
Important to know is that a private VLAN environment shares the same IP subnet. All layer 3 configuration will be done on the primary VLAN.
The key-points for using a Private VLAN:
- Security (customer protection)
- less IP address usage (because of sharing the same IP subnet for the complete private VLAN including all secondary VLANs)
Configuration is as follows:
| |
Command
|
Purpose
|
| Step 1 |
configure terminal |
Enter global configuration mode. |
| Step 2 |
vtp mode transparent |
Set VTP mode to transparent (disable VTP). |
| Step 3 |
vlan vlan-id |
Enter VLAN configuration mode and designate or create a VLAN that will be the primary VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. |
| Step 4 |
private-vlan primary |
Designate the VLAN as the primary VLAN. |
| Step 5 |
exit |
Return to global configuration mode. |
| Step 6 |
vlan vlan-id |
(Optional) Enter VLAN configuration mode and designate or create a VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. |
| Step 7 |
private-vlan isolated |
Designate the VLAN as an isolated VLAN. |
| Step 8 |
exit |
Return to global configuration mode. |
| Step 9 |
vlan vlan-id |
(Optional) Enter VLAN configuration mode and designate or create a VLAN that will be a community VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094. |
| Step 10 |
private-vlan community |
Designate the VLAN as a community VLAN. |
| Step 11 |
exit |
Return to global configuration mode. |
| Step 12 |
vlan vlan-id |
Enter VLAN configuration mode for the primary VLAN designated in Step 2. |
| Step 13 |
private-vlan association [add | remove] secondary_vlan_list |
Associate the secondary VLANs with the primary VLAN. |
| Step 14 |
end |
Return to privileged EXEC mode. |
| Step 15 |
show vlan private-vlan [type]orshow interfaces status |
Verify the configuration. |
| Step 16 |
copy running-config startup config |
Save your entries in the switch startup configuration file. To save the private-VLAN configuration, you need to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. |
The host configuration in a seconday VLAN:
| |
Command
|
Purpose
|
| Step 1 |
configure terminal |
Enter global configuration mode. |
| Step 2 |
interface interface-id |
Enter interface configuration mode for the Layer 2 interface to be configured. |
| Step 3 |
switchport mode private-vlan host |
Configure the Layer 2 port as a private-VLAN host port. |
| Step 4 |
switchport private-vlan host-association primary_vlan_id secondary_vlan_id |
Associate the Layer 2 port with a private VLAN. |
| Step 5 |
end |
Return to privileged EXEC mode. |
| Step 6 |
show interfaces [interface-id] switchport |
Verify the configuration. |
| Step 7 |
copy running-config startup config |
(Optional) Save your entries in the switch startup configuration file. |
A promiscuous port configuration in the primary VLAN:
| |
Command
|
Purpose
|
| Step 1 |
configure terminal |
Enter global configuration mode. |
| Step 2 |
interface interface-id |
Enter interface configuration mode for the Layer 2 interface to be configured. |
| Step 3 |
switchport mode private-vlan promiscuous |
Configure the Layer 2 port as a private-VLAN promiscuous port. |
| Step 4 |
switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list |
Map the private-VLAN promiscuous port to a primary VLAN and to selected secondary VLANs. |
| Step 5 |
end |
Return to privileged EXEC mode. |
| Step 6 |
show interfaces [interface-id] switchport |
Verify the configuration. |
| Step 7 |
copy running-config startup config |
Pingback: CCNP SWITCH Private-VLAN | hstevenhm
As marriage ceremony expenditures keep on to rise, couples are discovering other selections. The beach and the backyard marriage ceremony are incredibly well known these days. One particular item that brides-to-be refuse to compromise on, however, is the marriage ceremony dress. They devote in excess of one thousand dollars on marriage ceremony gowns, even if they concur to a additional informal ceremony.