VLAN Commands
4-203
4
Configuring Private VLANs
Private VLANs provide port-based security between ports, using primary and
secondary VLAN groups. A primary VLAN contains promiscuous ports that can
communicate with all other ports in the private VLAN group, while a secondary (or
community) VLAN contains community ports that can only communicate with other
hosts within the secondary VLAN and with any of the promiscuous ports in the
associated primary VLAN. In all cases, the promiscuous ports are designed to
provide open access to an external network such as the Internet, while the
community ports provide restricted access to local users.
Multiple primary VLANs can be configured on this switch, and multiple community
VLANs can be associated with each primary VLAN. (Note that private VLANs and
normal VLANs can exist simultaneously within the same switch.)
To configure primary/secondary associated groups, follow these steps:
1. Use the private-vlan command to designate one or more community VLANs
and the primary VLAN that will channel traffic outside of the community groups.
2. Use the private vlan association command to map the community VLAN(s) to
the primary VLAN.
3. Use the switchport mode private-vlan command to configure ports as
promiscuous (i.e., having access to all ports in the primary VLAN) or host
(i.e., having access restricted to community VLAN members, and channeling all
other traffic through promiscuous ports).
4. Use the switchport private-vlan host-association command to assign a port
to a secondary VLAN.
5. Use the switchport private-vlan mapping command to assign a port to a
primary VLAN.
6. Use the show vlan private-vlan command to verify your configuration settings.
Table 4-4 Private VLAN Commands
Command Function Mode Page
Edit Private VLAN Groups
private-vlan Adds or deletes primary or community VLANs VC 4-204
private-vlan association Associates a community VLAN with a primary VLAN VC 4-205
Configure Private VLAN Interfaces
switchport mode
private-vlan
Sets an interface to host mode or promiscuous mode IC 4-205
switchport private-vlan
host-association
Associates an interface with a secondary VLAN IC 4-206
switchport private-vlan
mapping
Maps an interface to a primary VLAN IC 4-207
Display Private VLAN Information
show vlan private-vlan Shows private VLAN information NE, PE 4-207
To Next Page
Loading...
Need help?
General