Configuring Private VLANs
Private VLANs provide a mechanism to control which devices can communicate within a
single subnet. The private VLAN uses isolated and community secondary VLANs to
control how devices communicate. The secondary VLANs are assigned to the primary
VLAN, and ports are assigned to the secondary VLANs. Ports in an isolated VLAN can-
not communicate with any device in the VLAN other than the promiscuous port. Ports
configured in a community VLAN can communicate with other ports in the same com-
munity and the promiscuous port. Ports in different communities cannot communicate
with one another. To configure private VLANs, use the following steps.
Set VTP transparent mode:
1.
(privileged) vlan database
(vlan_database) vtp transparent
You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have
members on other switches. Private VLANs also carry TLVs that are not known to all
types of Cisco switches.
Create the primary private VLAN:
2.
(global) vlan primary_number
(vlan-config) private-vlan primary
You must first create a primary private VLAN. The number of the primary VLAN is
used in later steps for binding secondary VLANs and mapping promiscuous ports.
Create isolated and community VLANs:
3.
(global) vlan secondary_number
(vlan-config) private-vlan [isolated | community]
Configure isolated or community secondary VLANs for assignment of ports and
control of the traffic. The secondary number for each of these VLANs must be
unique from one another and the primary number. Members of an isolated VLAN
can only communicate with the promiscuous ports mapped in Step 6, whereas mem-
bers of a community VLAN can communicate with members of the same communi-
ty and the promiscuous ports. A two-way community acts like a regular community
but has the additional aspect of allowing access control lists to check traffic going to
and from (two ways) the VLAN and provides enhanced security within a private
VLAN.
Bind isolated and community VLANs to the primary VLAN:
4.
(global) vlan primary_number
(vlan-config) private-vlan association secondary_number_list [add
secondary_number_list]
Chapter 6: VLANs and Trunking 105