SWITCH10S02L02.pptx

Configuring Private VLANs

Implementing VLANs in Campus NetworksConfiguring PVLANs

2009 Cisco Systems, Inc. All rights reserved.SWITCH v1.02-#

2009 Cisco Systems, Inc. All rights reserved.SWITCH v1.02-#1

Access Switch: Protected Port Protected ports can communicate only with unprotected ports.Protected ports are useful for access switches.Configures a protected or unprotected port.


About PVLANsA primary VLAN is divided into secondary VLANs.These VLANs are isolated or community VLANs.The host can communicate only with promiscuous ports.The host on community VLANs can communicate also within same community.PVLANs are not supported on Catalyst 2960 Switches.


PVLAN Port TypesIsolatedCommunicates with only promiscuous ports PromiscuousCommunicates with all other portsCommunity Communicates with the other members of community and all promiscuous ports


Isolated PVLAN ConfigurationSet VTP transparent.Create secondary VLANs.Create a primary VLAN.Associate the secondary and primary VLANs.Configure the port as host or promiscuous.Configure the private VLAN association on ports.Configure the VLAN mapping on an internal IP interface for VLAN.


Isolated PVLAN Configuration (1)Configure the private VLANs and VLAN association.

sw1(config)# vtp transparentsw1(config)# vlan 201sw1(config-vlan)# private-vlan isolated sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primarysw1(config-vlan)# private-vlan association add 201sw2(config)# vtp transparentsw2(config)# vlan 201sw2(config-vlan)# private-vlan isolated sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primarysw2(config-vlan)# private-vlan association add 201


Configure the PVLAN host port.Isolated PVLAN Configuration (2)sw2(config)# interface range fastethernet 0/1 - 2sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 201 (VLAN0201) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL


Isolated PVLAN Configuration (3)sw2(config)# interface fastethernet 0/12 sw2(config-if)# switchport mode private-vlan promiscuous sw2(config-if)# switchport private-vlan mapping 100 201Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 201 (VLAN0201) Operational private-vlan: none Trunking VLANs Enabled: ALLConfigure the private VLAN promiscuous port.


Isolated PVLAN Verificationsw# show vlan private-vlan type Vlan Type---- -----------------100 primary201 isolatedsw# show vlan private-vlan Primary Secondary Type Ports------- --------- ----------------- ---------------------------100 201 isolated fa0/1,fa0/2Display the configured private VLANs, VLAN types, and mappings.


Community PVLAN ConfigurationSet VTP transparent.Create secondary VLANs.Create a primary VLAN.Associate secondary and primary VLANs.Configure the port as host or promiscuous.Configure the private VLAN association on the ports.Configure a VLAN mapping on the internal IP interface for VLAN.


Community PVLAN Configuration (1)sw1(config)# vtp transparentsw1(config)# vlan 202sw1(config-vlan)# private-vlan community sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primarysw1(config-vlan)# private-vlan association add 202sw2(config)# vtp transparentsw2(config)# vlan 202sw2(config-vlan)# private-vlan community sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primarysw2(config-vlan)# private-vlan association add 202Configure private VLANs and VLAN association.


Community PVLAN Configuration (2)sw2(config)# interface range fastethernet 0/1 - 2sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 202 (VLAN0202) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALLConfigure a private VLAN host port.


Community PVLAN Configuration (3)sw2(config)# interface fastethernet 0/12 sw2(config-if)# switchport mode private-vlan promiscuous sw2(config-if)# switchport private-vlan mapping 100 202Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 202 (VLAN0202) Operational private-vlan: none Trunking VLANs Enabled: ALLConfigure a private VLAN promiscuous port.


Community PVLAN Verificationsw# show vlan private-vlan type Vlan Type---- -----------------100 primary202 communitysw2# show vlan private-vlan Primary Secondary Type Ports------- --------- ----------------- ---------------------------100 202 community fa0/1,fa0/2Display configured private VLANs, VLAN types, and mappings.


DNS, web, and SMTP servers are in DMZ and in same subnet.DNS servers can communicate with each other and with router.Web and SMTP servers can communicate only with router.PVLAN Example


PVLAN Example (Cont.)sw(config)# vtp transparentsw(config)# vlan 201sw(config-vlan)# private-vlan isolated sw(config)# vlan 202sw(config-vlan)# private-vlan communitysw(config)# vlan 100 sw(config-vlan)# private-vlan primarysw(config-vlan)# private-vlan association 201,202sw(config)# interface fastethernet 0/24 sw(config-if)# switchport mode private-vlan promiscuous sw(config-if)# switchport private-vlan mapping 100 201,202sw(config)# interface range fastethernet 0/1 - 2 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202sw(config)# interface range fastethernet 0/3 - 4 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201


PVLANs Across Multiple SwitchesPVLANs can be carried over regular 802.1Q trunks.PVLAN trunks can also be specifically created, in isolated modes (when downstream switch does not support PVLANs) or promiscuous mode (when upstream switch does not support PVLANs).


SummaryDevice-to-device communication within a single VLAN can be blocked with the protected port feature.Device communication within the same VLAN can be fine-tuned using PVLANs.A PVLAN is associated with a primary VLAN and then is mapped to one or several ports.A primary VLAN can map to one isolated and several community VLANs.A typical use of PVLANs is for device isolation in a DMZ environment.PVLANs can span several switches using regular 802.1Q trunks or PVLAN trunks.



SWITCH10S02L02.pptx

Documents

Transcript of SWITCH10S02L02.pptx