Configuring a Private VLAN in a Port Profile
This chapter describes how to create a port profile for a private VLAN (PVLAN).
This chapter includes the following sections:
•Information About Private VLANs
•Configuring a Port Profile as a Private VLAN
•PVLAN Example Configuration
•Feature History for Private VLAN Port Profiles
Information About Private VLANs
Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. PVLANs achieve device isolation by applying Layer 2 forwarding constraints that allow end devices to share the same IP subnet while being Layer 2 isolated. In turn, the use of larger subnets reduces address management overhead.
For more information about PVLAN, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.2(1)SV1(4)
Configuring a Port Profile as a Private VLAN
You can use this procedure to configure a port profile to be used as a private VLAN (PVLAN).
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•You know the VLAN IDs for both the primary and secondary VLAN in the private VLAN pair.
•You know whether this private VLAN inherits its configuration.
SUMMARY STEPS
1. config t
2. port-profile [type {ethernet | vethernet}] name
3. switchport mode private-vlan {host | promiscuous}
4. switchport private-vlan host-association primary-vlan secondary-vlans
5. switchport private-vlan mapping primary_vlan [add | remove] secondary_vlans
6. show port-profile [brief | expand-interface | usage] [name profile-name]
7. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
port-profile [type {ethernet | vethernet}] name
Example: n1000v(config)# port-profile AccessProf n1000v(config-port-prof)# |
Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics: •name—The port profile name can be up to 80 characters and must be unique for each port profile on the Cisco Nexus 1000V. •type—(Optional) The port profile type can be Ethernet or vEthernet. Once configured, the type cannot be changed. The default is the vEthernet type. Defining a port profile type as Ethernet allows the port profile to be used for physical (Ethernet) ports. In the vCenter Server, the corresponding port group can be selected and assigned to physical ports (PNICs). Note If a port profile is configured as an Ethernet type, then it cannot be used to configure VMware virtual ports. |
Step 3 |
switchport mode private-vlan {host | promiscuous}
Example: n1000v(config-port-prof)# switchport mode private-vlan promiscuous n1000v(config-port-prof)# |
Designates the port profile for use as a private VLAN and defines the ports as follows: •promiscuous—Ports that belong to the primary VLAN and communicate with the Layer 3 gateway. Promiscuous ports can communicate with any interface in the PVLAN domain, including those associated with secondary VLANs. •host—Ports that belong to the secondary VLAN as one of the following: –Community PVLAN host port –Isolated PVLAN host port |
Step 4 |
switchport private-vlan host-association primary-vlan secondary-vlans
Example: n1000v(config-port-prof)# switchport private-vlan host-association 3 300 301 302 n1000v(config-port-prof)# |
Assigns the primary and secondary VLAN IDs to the port profile and saves this association in the running configuration. •primary-vlan—Specifies a primary VLAN ID. You can specify only one primary VLAN ID. •secondary-vlans—Specifies the secondary VLAN IDs. You can specify more than one secondary VLAN ID. |
Step 5 |
switchport private-vlan mapping primary_vlan [add | remove] secondary_vlans
Example: n1000v(config-port-prof)# switchport private-vlan mapping 3 add 300 301 302 n1000v(config-port-prof)# |
Maps the primary VLAN ID to the secondary VLAN IDs for the port profile. |
Step 6 |
show port-profile [brief | expand-interface | usage] [name profile-name]
Example: n1000v(config-port-prof)# show port-profile name AccessProf |
(Optional) Displays the configuration for verification. |
Step 7 |
copy running-config startup-config
Example: n1000v(config-port-prof)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
PVLAN Example Configuration
This section includes the following examples:
•PVLAN Example When Upstream Switch Supports PVLAN
•PVLAN Example When Upstream Switch Does Not Support PVLAN
PVLAN Example When Upstream Switch Supports PVLAN
Use the following example if the switch upstream from the Cisco Nexus 1000V, such as a Cisco Catalyst 6500, supports private VLAN. This example shows how to configure the Cisco Nexus 1000V uplink as a regular trunk port, and then how to configure the required promiscuous SVI interface on the upstream switch.
private-vlan association 154-155
port-profile type vethernet pv154
switchport mode private-vlan host
switchport private-vlan host-association 153 154
port-profile type vethernet pv155
switchport mode private-vlan host
switchport private-vlan host-association 153 155
port-profile type ethernet datatrunk
switchport trunk allowed vlan 1,153-155
Configuration on the upstream switch:
private-vlan association 154-155
ip address 7.153.153.1 255.255.255.0
private-vlan mapping 154-155
PVLAN Example When Upstream Switch Does Not Support PVLAN
Use the following example if the switch upstream from the Cisco Nexus 1000V does not support private VLAN. This example shows how to configure the Cisco Nexus 1000V uplink as a private VLAN promiscuous trunk port. No private VLAN configuration is needed on the upstream switch.
private-vlan association 154-155
port-profile type vethernet pv154
switchport mode private-vlan host
switchport private-vlan host-association 153 154
port-profile type vethernet pv155
switchport mode private-vlan host
switchport private-vlan host-association 153 155
port-profile type ethernet pcpvtrunk
switchport mode private-vlan trunk promiscuous
switchport private-vlan mapping trunk 153 154-155
switchport private-vlan trunk allowed vlan 153-155
channel-group auto mode on
Feature History for Private VLAN Port Profiles
This section provides the feature history for system port profiles.
|
|
|
Private VLAN Port Profiles |
4.0(4)SV1(1) |
This feature was introduced. |