Implementing VLANs in Campus Networks

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1

Implementing VLANs in Campus Networks

Configuring PVLANs


Access Switch: Protected Port Protected ports can

communicate only with unprotected ports.

Protected ports are useful for access switches.

Configures a protected or unprotected port.


About PVLANs A primary VLAN is divided

into secondary VLANs. These VLANs are isolated or

community VLANs. The host can communicate

only with promiscuous ports. The host on community

VLANs can communicate also within same community.

PVLANs are not supported on Catalyst 2960 Switches.


PVLAN Port Types Isolated

– Communicates with only promiscuous ports

Promiscuous– Communicates with

all other ports Community

– Communicates with the other members of community and all promiscuous ports


Isolated PVLAN Configuration Set VTP transparent. Create secondary

VLANs. Create a primary

VLAN. Associate the

secondary and primary VLANs.

Configure the port as host or promiscuous.

Configure the private VLAN association on ports.

Configure the VLAN mapping on an internal IP interface for VLAN.


Isolated PVLAN Configuration (1)

Configure the private VLANs and VLAN association.

sw1(config)# vtp transparentsw1(config)# vlan 201sw1(config-vlan)# private-vlan isolated sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primarysw1(config-vlan)# private-vlan association add 201

sw2(config)# vtp transparentsw2(config)# vlan 201sw2(config-vlan)# private-vlan isolated sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primarysw2(config-vlan)# private-vlan association add 201


Configure the PVLAN host port.

Isolated PVLAN Configuration (2)sw2(config)# interface range fastethernet 0/1 - 2sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201

sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 201 (VLAN0201) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL


Isolated PVLAN Configuration (3)sw2(config)# interface fastethernet 0/12 sw2(config-if)# switchport mode private-vlan promiscuous sw2(config-if)# switchport private-vlan mapping 100 201

Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 201 (VLAN0201) Operational private-vlan: none Trunking VLANs Enabled: ALL

Configure the private VLAN promiscuous port.


Isolated PVLAN Verification

sw# show vlan private-vlan type Vlan Type---- -----------------100 primary201 isolated

sw# show vlan private-vlan Primary Secondary Type Ports------- --------- ----------------- ---------------------------100 201 isolated fa0/1,fa0/2

Display the configured private VLANs, VLAN types, and mappings.


Community PVLAN Configuration Set VTP transparent. Create secondary

VLANs. Create a primary

VLAN. Associate secondary

and primary VLANs. Configure the port as

host or promiscuous. Configure the private

VLAN association on the ports.

Configure a VLAN mapping on the internal IP interface for VLAN.


Community PVLAN Configuration (1)sw1(config)# vtp transparentsw1(config)# vlan 202sw1(config-vlan)# private-vlan community sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primarysw1(config-vlan)# private-vlan association add 202

sw2(config)# vtp transparentsw2(config)# vlan 202sw2(config-vlan)# private-vlan community sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primarysw2(config-vlan)# private-vlan association add 202

Configure private VLANs and VLAN association.


Community PVLAN Configuration (2)sw2(config)# interface range fastethernet 0/1 - 2sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202

sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 202 (VLAN0202) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL

Configure a private VLAN host port.


Community PVLAN Configuration (3)sw2(config)# interface fastethernet 0/12 sw2(config-if)# switchport mode private-vlan promiscuous sw2(config-if)# switchport private-vlan mapping 100 202

Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 202 (VLAN0202) Operational private-vlan: none Trunking VLANs Enabled: ALL

Configure a private VLAN promiscuous port.


Community PVLAN Verification

sw# show vlan private-vlan type Vlan Type---- -----------------100 primary202 community

sw2# show vlan private-vlan Primary Secondary Type Ports------- --------- ----------------- ---------------------------100 202 community fa0/1,fa0/2

Display configured private VLANs, VLAN types, and mappings.


DNS, web, and SMTP servers are in DMZ and in same subnet. DNS servers can communicate with each other and with router. Web and SMTP servers can communicate only with router.

PVLAN Example


PVLAN Example (Cont.)

sw(config)# vtp transparentsw(config)# vlan 201sw(config-vlan)# private-vlan isolated sw(config)# vlan 202sw(config-vlan)# private-vlan communitysw(config)# vlan 100 sw(config-vlan)# private-vlan primarysw(config-vlan)# private-vlan association 201,202sw(config)# interface fastethernet 0/24 sw(config-if)# switchport mode private-vlan promiscuous sw(config-if)# switchport private-vlan mapping 100 201,202sw(config)# interface range fastethernet 0/1 - 2 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202sw(config)# interface range fastethernet 0/3 - 4 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201


PVLANs Across Multiple Switches PVLANs can be carried over regular 802.1Q trunks. PVLAN trunks can also be specifically created, in isolated modes

(when downstream switch does not support PVLANs) or promiscuous mode (when upstream switch does not support PVLANs).


Summary Device-to-device communication within a single VLAN can be

blocked with the protected port feature. Device communication within the same VLAN can be fine-tuned

using PVLANs. A PVLAN is associated with a primary VLAN and then is mapped

to one or several ports. A primary VLAN can map to one isolated and several community

VLANs. A typical use of PVLANs is for device isolation in a DMZ

environment. PVLANs can span several switches using regular 802.1Q trunks

or PVLAN trunks.


Date post:	22-Feb-2016
Category:	Documents
Upload:	mikkel
View:	64 times
Download:	0 times

Implementing VLANs in Campus Networks

Documents