{"id":878,"date":"2011-09-07T21:50:00","date_gmt":"2011-09-07T13:50:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=878"},"modified":"2023-11-07T21:53:05","modified_gmt":"2023-11-07T13:53:05","slug":"cisco-private-vlan","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/878","title":{"rendered":"Cisco Private Vlan"},"content":{"rendered":"\n<p>Private VLANs (PVLAN)<br>Hosts associated with a secondary VLAN can communicate with ports on the primary VLAN , but not with another secondary VLAN.<\/p>\n\n\n\n<p>A secondary VLAN is configured as one of the following types<br><strong>Isolated vlan:<\/strong><br>same isolated VLAN cannot reach each other<br><strong>Community vlan:<\/strong><br>same communicate VLAN can reach each other<br>ps<br>L2 device\u53ef\u7528protect port\u9054\u5230\u540cIsolated\u7684\u529f\u80fd<\/p>\n\n\n\n<p><br>1<br>All secondary VLANs must be associated with one primary VLAN to set up the uni-directional relationship<br>2<br>VTP does not pass any information about the private VLAN configuration.<br>Therefore, private VLANs are only locally significant to a switch<br>ps:to configure VTP to transparent mode before a private VLAN be created&nbsp;<br>3<br>Each of the private VLANs must be configured locally on each switch that interconnects them<\/p>\n\n\n\n<p>define the port with one of the following modes:<br><strong>Promiscuous port:<\/strong><br>the rules of private VLANs are ignored<br>\u4f7f\u7528\u6642\u6a5f:connects to a router, firewall, or other common gateway device<br>\u529f\u80fd:can communicate with anything else connected to the primary or any secondary VLAN<br><strong>host port:<\/strong><br>\u4f7f\u7528\u6642\u6a5f:connects to a regular host that resides on an isolated or community VLAN<br>\u529f\u80fd:The port communicates only with:<br>\u30001. a promiscuous port<br>\u30002. ports on the same community VLAN<\/p>\n\n\n\n<p>ps:<br><strong>Private VLAN\u6ce8\u610f\u4e8b\u9805<\/strong><br>disable VTP<br>not support Port Security<br>not support SPAN port<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>1\u5b9a\u7fa9primary\u53casecondary VLANs<br>1-1<br>defining any secondary VLANs<br>Switch(config)# vlan vlan-id<br><strong>Switch(config-vlan)# private-vlan &lt; isolated | community&gt;<\/strong><br>1-2<br>define the primary VLAN<br>(config)# vlan vlan-id<br><strong>(config-vlan)# private-vlan primary<\/strong><br>private-vlan primary carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN.<br><strong>(config-vlan)# private-vlan association [add|remove] &lt; secondary-vlan-list&gt;<\/strong><br>&lt; secondary-vlan-list &gt;: to associate the primary VLAN with all its component secondary VLANs using the association keyword<br>ps:<br>These VLAN configuration commands set up only the mechanisms for unidirectional connectivity from the secondary VLANs to the primary VLAN<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>\u7576gw\u5728\u4e0a\u5c64switch\u6642,\u5206\u914dprivate-vlan\u5728port<br>2-1<br><strong>associate host mode port&nbsp;<\/strong>with primary and secondary VLANs<br><strong>(config-if)#switchport mode private-vlan host<br>(config-if)#switchport private-vlan host-association &lt; primary-vlan-id&gt; &lt; secondary-vlan-id&gt;<\/strong><br>ps:<br>only the private VLANs themselves have been configured until now. The switch port must know how to interact with the various VLANs<br>2-2<br><strong>map promiscuous mode ports<\/strong>&nbsp;to primary and secondary VLAN<br><strong>(config-if)# switchport mode private-vlan promiscuous<br>(config-if)# switchport private-vlan mapping &lt; primary-vlan-id &gt; &lt; [ add| remove] secondary-vlan-list&gt;<\/strong><br>ps:<br>that can communicate with any other private VLAN device, are mapped, whereas other secondary VLAN ports are associated.<br>One (promiscuous mode port) exhibits bidirectional behavior, whereas the other (secondary VLAN ports) exhibits unidirectional or logical behavior<br>ex:<br>1-1<br>sw(config)# vlan 10<br>sw(config-vlan)# private-vlan community<br>sw(config)# vlan 20<br>sw(config-vlan)# private-vlan community<br>sw(config)# vlan 30<br>sw(config-vlan)# private-vlan isolated<br>1-2<br>sw(config)# vlan 100<br>sw(config-vlan)# private-vlan primary<br>sw(config-vlan)# private-vlan association 10,20,30<br>sw(config-vlan)# exit<br>2-1<br>sw(config)# interface range fastethernet 1\/1 &#8211; 1\/2<br>sw(config-if)# switchport private-vlan host<br>sw(config-if)# switchport private-vlan host-association 100 10<br>sw(config)# interface range fastethernet 1\/4 &#8211; 1\/5<br>sw(config-if)# switchport private-vlan host<br>sw(config-if)# switchport private-vlan host-association 100 20<br>sw(config)# interface fastethernet 1\/3<br>sw(config-if)# switchport private-vlan host<br>sw(config-if)# switchport private-vlan host-association 100 30<br>2-2<br>sw(config)# interface fastethernet 2\/1<br>sw(config-if)# switchport mode private-vlan promiscuous<br>sw(config-if)# switchport private-vlan mapping 100 10,20,30<\/p>\n\n\n\n<p><br>\u7576gw\u70ba\u672c\u6a5fswitch\u6642,\u5206\u914dprivate-vlan\u5728SVI<br>3<br><strong>SVI configured with Layer 3 addresses<\/strong><br>add a private VLAN mapping to the primary SVI<br>(config)#interface vlan &lt; primary-vlan-id&gt;<br><strong>(config-if)# private-vlan mapping &lt; [add|remove] secondary-vlan-list&gt;<\/strong><br>ex:<br>1,2<br>\u5ef6\u7e8c\u4e0a\u500bexample<br>3<br>gw(config)# interface vlan 100<br>gw(config-if)# ip address 192.168.199.1 255.255.255.0<br>gw(config-if)# private-vlan mapping 10,20,30<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Private VLANs (PVLAN)Hosts ass &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-878","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=878"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/878\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}