Private VLANs (PVLAN)
Hosts associated with a secondary VLAN can communicate with ports on the primary VLAN , but not with another secondary VLAN.
A secondary VLAN is configured as one of the following types
Isolated vlan:
same isolated VLAN cannot reach each other
Community vlan:
same communicate VLAN can reach each other
ps
L2 device可用protect port達到同Isolated的功能
1
All secondary VLANs must be associated with one primary VLAN to set up the uni-directional relationship
2
VTP does not pass any information about the private VLAN configuration.
Therefore, private VLANs are only locally significant to a switch
ps:to configure VTP to transparent mode before a private VLAN be created
3
Each of the private VLANs must be configured locally on each switch that interconnects them
define the port with one of the following modes:
Promiscuous port:
the rules of private VLANs are ignored
使用時機:connects to a router, firewall, or other common gateway device
功能:can communicate with anything else connected to the primary or any secondary VLAN
host port:
使用時機:connects to a regular host that resides on an isolated or community VLAN
功能:The port communicates only with:
1. a promiscuous port
2. ports on the same community VLAN
ps:
Private VLAN注意事項
disable VTP
not support Port Security
not support SPAN port
…
1定義primary及secondary VLANs
1-1
defining any secondary VLANs
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan < isolated | community>
1-2
define the primary VLAN
(config)# vlan vlan-id
(config-vlan)# private-vlan primary
private-vlan primary carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN.
(config-vlan)# private-vlan association [add|remove] < secondary-vlan-list>
< secondary-vlan-list >: to associate the primary VLAN with all its component secondary VLANs using the association keyword
ps:
These VLAN configuration commands set up only the mechanisms for unidirectional connectivity from the secondary VLANs to the primary VLAN
…
當gw在上層switch時,分配private-vlan在port
2-1
associate host mode port with primary and secondary VLANs
(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association < primary-vlan-id> < secondary-vlan-id>
ps:
only the private VLANs themselves have been configured until now. The switch port must know how to interact with the various VLANs
2-2
map promiscuous mode ports to primary and secondary VLAN
(config-if)# switchport mode private-vlan promiscuous
(config-if)# switchport private-vlan mapping < primary-vlan-id > < [ add| remove] secondary-vlan-list>
ps:
that can communicate with any other private VLAN device, are mapped, whereas other secondary VLAN ports are associated.
One (promiscuous mode port) exhibits bidirectional behavior, whereas the other (secondary VLAN ports) exhibits unidirectional or logical behavior
ex:
1-1
sw(config)# vlan 10
sw(config-vlan)# private-vlan community
sw(config)# vlan 20
sw(config-vlan)# private-vlan community
sw(config)# vlan 30
sw(config-vlan)# private-vlan isolated
1-2
sw(config)# vlan 100
sw(config-vlan)# private-vlan primary
sw(config-vlan)# private-vlan association 10,20,30
sw(config-vlan)# exit
2-1
sw(config)# interface range fastethernet 1/1 – 1/2
sw(config-if)# switchport private-vlan host
sw(config-if)# switchport private-vlan host-association 100 10
sw(config)# interface range fastethernet 1/4 – 1/5
sw(config-if)# switchport private-vlan host
sw(config-if)# switchport private-vlan host-association 100 20
sw(config)# interface fastethernet 1/3
sw(config-if)# switchport private-vlan host
sw(config-if)# switchport private-vlan host-association 100 30
2-2
sw(config)# interface fastethernet 2/1
sw(config-if)# switchport mode private-vlan promiscuous
sw(config-if)# switchport private-vlan mapping 100 10,20,30
當gw為本機switch時,分配private-vlan在SVI
3
SVI configured with Layer 3 addresses
add a private VLAN mapping to the primary SVI
(config)#interface vlan < primary-vlan-id>
(config-if)# private-vlan mapping < [add|remove] secondary-vlan-list>
ex:
1,2
延續上個example
3
gw(config)# interface vlan 100
gw(config-if)# ip address 192.168.199.1 255.255.255.0
gw(config-if)# private-vlan mapping 10,20,30