- Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
- Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
- Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Example
! If not running VTPv3, a switch must be put into VTP Transparent mode before
! configuring Private VLANs
AccessSw(config)# vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
! One isolated secondary VLAN and three community secondary VLANs will now be
! created. Afterwards, they will be associated with the primary VLAN 100.
AccessSw(config)# vlan 199
AccessSw(config-vlan)# name Isolated
AccessSw(config-vlan)# private-vlan isolated
AccessSw(config-vlan)# vlan 101
AccessSw(config-vlan)# name Community1
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 102
AccessSw(config-vlan)# name Community2
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 103
AccessSw(config-vlan)# name Community3
AccessSw(config-vlan)# private-vlan community
AccessSw(config-vlan)# vlan 100
AccessSw(config-vlan)# name Primary1
AccessSw(config-vlan)# private-vlan primary
AccessSw(config-vlan)# private-vlan association 101-103,199
AccessSw(config-vlan)# exit
AccessSw(config)# do show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 community
100 102 community
100 103 community
100 199 isolated
! Now, ports will be assigned to these VLANs:
! Fa0/1 - 3: Secondary community VLAN 101
! Fa0/4 - 5: Secondary community VLAN 102
! Fa0/6 - 8: Secondary community VLAN 103
! Fa0/9 - 12: Secondary isolated VLAN 199
! Fa0/13: Promiscuous port in primary VLAN 100
! For brevity purposes, only the configuration of Fa0/1 - 3 will be shown, as all
! other ports in secondary VLANs, isolated or community, are configured similarly
! Afterwards, show vlan private-vlan is issued to verify the port assignment.
! As Fa0/13 is a promiscuous port, it will be shown in all associated secondary
! VLANs
AccessSw(config)# interface range fa0/1 - 3
AccessSw(config-if-range)# switchport mode private-vlan host
AccessSw(config-if-range)# switchport private-vlan host-association 100 101
AccessSw(config-if-range)# interface fa0/13
AccessSw(config-if)# switchport mode private-vlan promiscuous
AccessSw(config-if)# switchport private-vlan mapping 100 101-103,199
AccessSw(config-if)# do show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 community Fa0/1, Fa0/2, Fa0/3, Fa0/13
100 102 community Fa0/4, Fa0/5, Fa0/13
100 103 community Fa0/6, Fa0/7, Fa0/8, Fa0/13
100 199 isolated Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13
! If a SVI is used as a gateway for devices associated with the primary VLAN 100
! If a SVI is used as a gateway for devices associated with the primary VLAN 100,
! it must also be configured as promiscuous
AccessSw(config-if)# interface Vlan100
AccessSw(config-if)# private-vlan mapping 101-103,199
AccessSw(config-if)# ip address 192.168.100.254 255.255.255.0
No comments:
Post a Comment