Security Commands
283
ProSAFE M7100 Managed Switches
Private VLAN Commands
The Private VLANs feature separates a regular VLAN domain into two or more subdomains. Each
subdomain is defined (represented) by a primary VLAN and a secondary VLAN. The primary VLAN
ID is the same for all subdomains that belong to a private VLAN. The secondary VLAN ID
differentiates subdomains from each other and provides Layer 2 isolation between ports of the
same private VLAN. The types of VLANs within a private VLAN are as follows:
• P
rimary VLAN—Forwards the traffic from the promiscuous ports to isolated ports,
c
ommunity ports, and other promiscuous ports in the same private VLAN. Only one primary
VLAN can be configured per private VLAN. All ports within a private VLAN share primary
VLAN.
• Isolat
ed VLAN—A secondary VLAN that carries traffic from isolated ports to promiscuous
por
ts. Only one isolated VLAN can be configured per private VLAN.
• Community VLAN—A secondary VLAN that forwards traffic between ports that belong to the
same c
ommunity and the promiscuous ports. There can be multiple community VLANs per
private VLAN.
Three types of port designations exist within a private VLAN:
• Promiscuous Ports—An endpoint connected to a promiscuous port is allowed to
communicate with any endpoint within the private VLAN. Multiple promiscuous ports can be
defined for a single private VLAN domain.
• Isolated Ports—An endpoint connected to an isolated port is allowed to communicate with
endpoints c
onnected to promiscuous ports only. Endpoints connected to adjacent isolated
ports cannot communicate with each other.
• Community Ports—An endpoint connected to a community port is allowed to communicate
with the endpoints within a c
ommunity and with any configured promiscuous port. The
endpoints that belong to one community cannot communicate with endpoints that belong to
a different community or with endpoints connected to isolated ports.
The Private VLANs can be extended across multiple switches through inter-switch/stack links
that transpor
t primary, community, and isolated VLANs between devices.
switchport private-vlan
This command is used to define a private-VLAN association for an isolated or community port or
a mapping for a promiscuous port.
Format switchport private-vlan {host-association <primary-vlan-id>
<secondary-vlan-id> | mapping <primary-vlan-id> {add | remove}
<secondary-vlan-list>}
Mode Interface Config
To Next Page
Loading...
