176
Configuring the private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
• Primary VLAN—Used for connecting the upstream device. A primary VLAN can be associated
with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
• Secondary VLANs—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A
in Figure 58).
As shown in Figure 58, the
private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 58 Private VLAN example
If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
• Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
• Method 2:
a. Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
b. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
c. Enable local proxy ARP or ND on the primary VLAN interface.
Configuration task list
To configure the private VLAN feature, perform the following tasks:
1. Configure the primary VLAN.
2. Configure the secondary VLANs.
To Next Page
Loading...
