Private VLANs
- Can split a single broadcast domain, defined by a single VLAN, into multiple isolated broadcast subdomains, that are defined by primary VLAN and secondary VLANs.
- Basically it is VLANs inside a VLAN.
- Commonly used in shared layer2 environments, like ISP co-locations/hotel rooms, so two sites/rooms can't communicate directly.
- PVLANs can only be configured when a switch is in VTP transparent mode!!!
- Difference between PVLAN and protected port, PVLAN can span multiple switches whereas protected ports don't.
- Private VLAN information is NOT propagated via VTP.
- Secondary VLANs (isolated and community) do not run their own instance of spanning-tree.
Different port roles:
1. Promiscuous ports - Are allowed to talk to all other ports within the VLAN.
- Are the roles assigned to the primary VLAN ports.
2. Community ports - Are allowed to talk to any other ports only in the same community.
3. Isolated ports - Can only talk to other promiscuous ports.
steps to configure Private VLANS
Note: must be in vtp transparent mode ( so vtp domain must be configured)
1. Create the secondary VLANs as community or isolated.
vlan 1000
private-vlan community
vlan 2000
private-vlan isolated
2. Create the primary VLANs and associate the secondary VLANs.
vlan 100
private-vlan primary
private-vlan association 1000,2000
3. Assign ports to which mode and map/associate it with secondary vlans
interface fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 1000,2000
int fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 1000
int fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 2000
verification:
show vlan private-vlan
Protected Ports:
are used to prevent traffic from being exchanged at layer 2 between two or more ports that are in the same VLAN.
- Traffic received in a protected port cannot be sent out another protected port, however traffic received in a protected port can be sent out a non-protected port.
This feature is a much smaller subset of the Private VLAN feature, and cannot span between multiple physical switches.
command:
interface FastEthernet0/2
switchport protected
interface FastEthernet0/24
switchport protected
VIRTUALRACK for Network Engineers... This blog is all about networking technologies that drives the human network today... Welcome to the Human Network!!
No comments:
Post a Comment