Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1
Configuring Private VLANs
Configuring Private VLANs

目次

Configuring Private VLANs

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Private VLANs

The following are prerequisites for configuring private VLANs:

  • When you configure private VLANs on switches running VTP, the switch must be in VTP transparent mode.

  • When configuring private VLANs on the switch, always use the default Switch Database Management (SDM) template to balance system resources between unicast routes and Layer 2 entries. If another SDM template is configured, use the sdm prefer default global configuration command to set the default template.

Secondary and Primary VLAN Configuration

Follow these guidelines when configuring private VLANs:

  • If the switch is running VTP version 1 or 2, you must set VTP to transparent mode. After you configure a private VLAN, you should not change the VTP mode to client or server. VTP version 3 supports private VLANs in all modes.

  • With VTP version 1 or 2, after you have configured private VLANs, use the copy running-config startup config privileged EXEC command to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs. VTP version 3 does support private VLANs.

  • VTP version 1 and 2 do not propagate private-VLAN configuration. You must configure private VLANs on each device where you want private-VLAN ports unless the devices are running VTP version 3.

  • You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs.

  • A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it.

  • Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (STP) instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.

  • You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured.

  • When you enable IP source guard on private-VLAN ports, you must enable DHCP snooping on the primary VLAN.

  • We recommend that you prune the private VLANs from the trunks on devices that carry no traffic in the private VLANs.

  • You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs.

  • Note the following considerations for sticky ARP:

    • Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. These entries do not age out.

    • The ip sticky-arp global configuration command is supported only on SVIs belonging to private VLANs.

    • The ip sticky-arp interface configuration command is only supported on:

      • Layer 3 interfaces

      • SVIs belonging to normal VLANs

      • SVIs belonging to private VLANs

      For more information about using the ip sticky-arp global configuration and the ip sticky-arp interface configuration commands, see the command reference for this release.

  • You can configure VLAN maps on primary and secondary VLANs. However, we recommend that you configure the same VLAN maps on private-VLAN primary and secondary VLANs.

  • When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side.

    • For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.

    • For frames going downstream from a promiscuous port to a host port, the VLAN map configured on the primary VLAN is applied.

      To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary and secondary VLANs.

  • You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic.

  • Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.

  • Private VLANs support these Switched Port Analyzer (SPAN) features:

    • You can configure a private-VLAN port as a SPAN source port.

    • You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic.

Private VLAN Port Configuration

Follow these guidelines when configuring private VLAN ports:

  • Use only the private VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.

  • Do not configure ports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.

  • Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence. When enabled, STP applies the BPDU guard feature to all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.

  • If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with the VLAN become inactive.

  • Private VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk.

Restrictions for Private VLANs

The following are restrictions for configuring private VLANs:

  • Private VLANs are only supported on switches running the IP Lite image.

Limitations with Other Features

When configuring private VLANs, remember these limitations with other features:


(注)  


In some cases, the configuration is accepted with no error messages, but the commands have no effect.


  • Do not configure fallback bridging on switches with private VLANs.

  • When IGMP snooping is enabled on the switch (the default), the switch or switch stack supports no more than 20 private VLAN domains.

  • Do not configure a remote SPAN (RSPAN) VLAN as a private VLAN primary or secondary VLAN.

  • Do not configure private VLAN ports on interfaces configured for these other features:

    • Dynamic-access port VLAN membership

    • Dynamic Trunking Protocol (DTP)

    • Port Aggregation Protocol (PAgP)

    • Link Aggregation Control Protocol (LACP)

    • Multicast VLAN Registration (MVR)

    • Voice VLAN

    • Web Cache Communication Protocol (WCCP)

  • You can configure IEEE 802.1x port-based authentication on a private VLAN port, but do not configure 802.1x with port security, voice VLAN, or per-user ACL on private VLAN ports.

  • A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private VLAN port, the port becomes inactive.

  • If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add the same static address to all associated secondary VLANs. If you configure a static MAC address on a host port in a secondary VLAN, you must add the same static MAC address to the associated primary VLAN. When you delete a static MAC address from a private VLAN port, you must remove all instances of the configured MAC address from the private VLAN.


    (注)  


    Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table.


  • Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs.

Information About Private VLANs

Private VLAN Domains

The private VLAN feature addresses two problems that service providers face when using VLANs:

  • The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

  • To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

図 1. Private VLAN Domain. Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.



Secondary VLANs

There are two types of secondary VLANs:

  • Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

  • Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs Ports

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private VLAN ports are access ports that are one of these types:

  • Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

  • Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

  • Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.


(注)  


Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.


Primary and secondary VLANs have these characteristics:

  • Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.

  • Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.

  • Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private VLAN servers from an administration workstation.

Private VLANs in Networks

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.

You can use private VLANs to control access to end stations in these ways:

  • Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.

  • Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private VLAN ports.

IP Addressing Scheme with Private VLANs

Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme:

  • Assigning a block of addresses to a customer VLAN can result in unused IP addresses.

  • If the number of devices in the VLAN increases, the number of assigned address might not be large enough to accommodate them.

These problems are reduced by using private VLANs, where all members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses.

Private VLANs Across Multiple Switches

図 2. Private VLANs Across Switches. As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in switch A does not reach an isolated port on Switch B.



Because VTP does not support private VLANs, you must manually configure private VLANs on all switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association in some switches in the network, the Layer 2 databases in these switches are not merged. This can result in unnecessary flooding of private VLAN traffic on those switches.

Private VLAN Interaction with Other Features

Private VLANs and Unicast, Broadcast, and Multicast Traffic

In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can communicate with each other at the Layer 2 level.

In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding depends on the port sending the broadcast:

  • An isolated port sends a broadcast only to the promiscuous ports or trunk ports.

  • A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community VLAN.

  • A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk ports, isolated ports, and community ports).

Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs.

Private VLANs and SVIs

In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

  • If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.

  • If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down.

When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.

Private VLANs and Switch Stacks

Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, some changes to the switch stack can impact private-VLAN operation:

  • If a stack contains only one private-VLAN promiscuous port and the stack member that contains that port is removed from the stack, host ports in that private VLAN lose connectivity outside the private VLAN.

  • If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or leaves the stack and a new stack master is elected, host ports in a private VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN.

  • If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration on the losing switch is lost when that switch reboots.

Private VLAN Configuration Tasks

To configure a private VLAN, perform these steps:

  1. Set VTP mode to transparent.

  2. Create the primary and secondary VLANs and associate them.


    (注)  


    If the VLAN is not created already, the private VLAN configuration process creates it.


  3. Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host port.

  4. Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary VLAN pair.

  5. If inter-VLAN routing will be used, configure the primary SVI, and map the secondary VLANs to the primary.

  6. Verify the private VLAN configuration.

Default Private VLAN Configuration

No private VLANs are configured.

How to Configure Private VLANs

Configuring and Associating VLANs in a Private VLAN

The private-vlan commands do not take effect until you exit VLAN configuration mode.

手順の概要

    1.    configure terminal

    2.    vtp mode transparent

    3.    vlan vlan-id

    4.    private-vlan primary

    5.    exit

    6.    vlan vlan-id

    7.    private-vlan isolated

    8.    exit

    9.    vlan vlan-id

    10.    private-vlan community

    11.    exit

    12.    vlan vlan-id

    13.    private-vlan association [add | remove] secondary_vlan_list

    14.    end

    15.    show vlan private-vlan [type] or show interfaces status

    16.    copy running-config startup config


手順の詳細
     コマンドまたはアクション目的
    ステップ 1configure terminal


    例:
    
    Switch# configure terminal
    
    
     

    Enters global configuration mode.

     
    ステップ 2vtp mode transparent


    例:
    
    Switch(config)# vtp mode transport
    
    
     

    Sets VTP mode to transparent (disable VTP).

     
    ステップ 3vlan vlan-id


    例:
    
    Switch(config)# vlan 20
    
    
     

    Enters VLAN configuration mode and designates or creates a VLAN that will be the primary VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094.

     
    ステップ 4private-vlan primary


    例:
    
    Switch(config-vlan)# private-vlan primary
    
    
     

    Designates the VLAN as the primary VLAN.

     
    ステップ 5exit


    例:
    
    Switch(config-vlan)# exit
    
    
     

    Returns to global configuration mode.

     
    ステップ 6vlan vlan-id


    例:
    
    Switch(config)# vlan 501
    
    
     

    (Optional) Enters VLAN configuration mode and designates or creates a VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094.

     
    ステップ 7private-vlan isolated


    例:
    
    Switch(config-vlan)# private-vlan isolated
    
    
     

    Designates the VLAN as an isolated VLAN.

     
    ステップ 8exit


    例:
    
    Switch(config-vlan)# exit
    
    
     

    Returns to global configuration mode.

     
    ステップ 9vlan vlan-id


    例:
    
    Switch(config)# vlan 502
    
    
     

    (Optional) Enters VLAN configuration mode and designates or creates a VLAN that will be a community VLAN. The VLAN ID range is 2 to 1001 and 1006 to 4094.

     
    ステップ 10private-vlan community


    例:
    
    Switch(config-vlan)# private-vlan community
    
    
     

    Designates the VLAN as a community VLAN.

     
    ステップ 11exit


    例:
    
    Switch(config-vlan)# exit
    
    
     

    Returns to global configuration mode.

     
    ステップ 12vlan vlan-id


    例:
    
    Switch(config)# vlan 503
    
    
     

    Enters VLAN configuration mode for the primary VLAN designated in Step 2.

     
    ステップ 13private-vlan association [add | remove] secondary_vlan_list


    例:
    
    Switch(config-vlan)# private-vlan association 501-503
    
    
     

    Associates the secondary VLANs with the primary VLAN.

     
    ステップ 14end


    例:
    
    Switch(config-vlan)# end
    
    
     

    Returns to privileged EXEC mode.

     
    ステップ 15show vlan private-vlan [type] or show interfaces status

    例:
    
    Switch(config)# show vlan private vlan
    
    
     

    Verifies the configuration.

     
    ステップ 16copy running-config startup config


    例:
    
    Switch# copy running-config startup-config
    
    
     

    Saves your entries in the switch startup configuration file.

    To save the private-VLAN configuration, you need to save the VTP transparent mode configuration and private-VLAN configuration in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server mode, which does not support private VLANs.

     
    関連コンセプト

    Configuring a Layer 2 Interface as a Private VLAN Host Port

    Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs:


    (注)  


    Isolated and community VLANs are both secondary VLANs.


    手順の概要

      1.    configure terminal

      2.    interface interface-id

      3.    switchport mode private-vlan host

      4.    switchport private-vlan host-association primary_vlan_id secondary_vlan_id

      5.    end

      6.    show interfaces [interface-id] switchport

      7.    copy running-config startup config


    手順の詳細
       コマンドまたはアクション目的
      ステップ 1configure terminal


      例:
      
      Switch# configure terminal
      
      
       

      Enters global configuration mode.

       
      ステップ 2interface interface-id


      例:
      
      Switch(config)# interface gigabitethernet1/0/22
      
      
       

      Enters interface configuration mode for the Layer 2 interface to be configured.

       
      ステップ 3switchport mode private-vlan host


      例:
      
      Switch(config-if)# switchport mode private-vlan host
      
      
       

      Configures the Layer 2 port as a private-VLAN host port.

       
      ステップ 4switchport private-vlan host-association primary_vlan_id secondary_vlan_id


      例:
      
      Switch(config-if)# switchport private-vlan host-association 20 501
      
      
       

      Associates the Layer 2 port with a private VLAN.

       
      ステップ 5end


      例:
      
      Switch(config-if)# end
      
      
       

      Returns to privileged EXEC mode.

       
      ステップ 6show interfaces [interface-id] switchport


      例:
      
      Switch# show interfaces gigabitethernet1/0/22 switchport
      
      
       

      Verifies the configuration.

       
      ステップ 7copy running-config startup config


      例:
      
      Switch# copy running-config startup-config
      
      
       

      Saves your entries in the switch startup configuration file.

       
      関連コンセプト

      Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port

      Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private VLAN promiscuous port and map it to primary and secondary VLANs:


      (注)  


      Isolated and community VLANs are both secondary VLANs.


      手順の概要

        1.    configure terminal

        2.    interface interface-id

        3.    switchport mode private-vlan promiscuous

        4.    switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list

        5.    end

        6.    show interfaces [interface-id] switchport

        7.    copy running-config startup config


      手順の詳細
         コマンドまたはアクション目的
        ステップ 1configure terminal


        例:
        
        Switch# configure terminal
        
        
         

        Enters global configuration mode.

         
        ステップ 2interface interface-id


        例:
        
        Switch(config)# interface gigabitethernet1/0/2
        
        
         

        Enters interface configuration mode for the Layer 2 interface to be configured.

         
        ステップ 3switchport mode private-vlan promiscuous


        例:
        
        Switch(config-if)# switchport mode private-vlan promiscuous
        
        
         

        Configures the Layer 2 port as a private VLAN promiscuous port.

         
        ステップ 4switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list


        例:
        
        Switch(config-if)# switchport private-vlan mapping 20 add 501-503
        
        
         

        Maps the private VLAN promiscuous port to a primary VLAN and to selected secondary VLANs.

        The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs.

        Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the private VLAN promiscuous port.

        Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the private VLAN promiscuous port.

         
        ステップ 5end


        例:
        
        Switch(config-if)# end
        
        
         

        Returns to privileged EXEC mode.

         
        ステップ 6show interfaces [interface-id] switchport


        例:
        
        Switch# show interfaces gigabitethernet1/0/2 switchport
        
        
         

        Verifies the configuration.

         
        ステップ 7copy running-config startup config


        例:
        
        Switch# copy running-config startup-config
        
        
         

        Saves your entries in the switch startup configuration file.

         
        関連コンセプト

        Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface

        If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI.

        Isolated and community VLANs are both secondary VLANs.

        The private-vlan mapping interface configuration command only affects private VLAN traffic that is Layer 3 switched.

        Beginning in privileged EXEC mode, follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private VLAN traffic:

        手順の概要

          1.    configure terminal

          2.    interface vlan primary_vlan_id

          3.    private-vlan mapping [add | remove] secondary_vlan_list

          4.    end

          5.    show interface private-vlan mapping

          6.    copy running-config startup config


        手順の詳細
           コマンドまたはアクション目的
          ステップ 1configure terminal


          例:
          
          Switch# configure terminal
          
          
           

          Enters global configuration mode.

           
          ステップ 2interface vlan primary_vlan_id


          例:
          
          Switch(config)# interface vlan 10
          
          
           

          Enters interface configuration mode for the primary VLAN, and configures the VLAN as an SVI. The VLAN ID range is 2 to 1001 and 1006 to 4094.

           
          ステップ 3private-vlan mapping [add | remove] secondary_vlan_list


          例:
          
          Switch(config-if)# private-vlan mapping 501-502
          
          
           

          Maps the secondary VLANs to the Layer 3 VLAN interface of a primary VLAN to allow Layer 3 switching of private VLAN ingress traffic.

          The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private VLAN ID or a hyphenated range of private VLAN IDs.

          Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the primary VLAN.

          Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN.

           
          ステップ 4end


          例:
          
          Switch(config-if)# end
          
          
           

          Returns to privileged EXEC mode.

           
          ステップ 5show interface private-vlan mapping


          例:
          
          Switch# show interfaces private-vlan mapping
          
          
           

          Verifies the configuration.

           
          ステップ 6copy running-config startup config


          例:
          
          Switch# copy running-config startup-config
          
          
           

          Saves your entries in the switch startup configuration file.

           

          Monitoring Private VLANs

          The following table displays the commands used to monitor private VLANs.

          表 1 Private VLAN Monitoring Commands

          Command

          Purpose

          show interfaces status

          Displays the status of interfaces, including the VLANs to which they belongs.

          show vlan private-vlan [type]

          Displays the private VLAN information for the switch or switch stack.

          show interface switchport

          Displays private VLAN configuration on interfaces.

          show interface private-vlan mapping

          Displays information about the private VLAN mapping for VLAN SVIs.

          Configuration Examples for Private VLANs

          Example: Configuring a Primary VLAN, Isolated VLAN, and a Community of VLANs

          This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the configuration:

          Switch# configure terminal
          Switch(config)# vlan 20
          Switch(config-vlan)# private-vlan primary
          Switch(config-vlan)# exit
          Switch(config)# vlan 501
          Switch(config-vlan)# private-vlan isolated
          Switch(config-vlan)# exit
          Switch(config)# vlan 502
          Switch(config-vlan)# private-vlan community
          Switch(config-vlan)# exit
          Switch(config)# vlan 503
          Switch(config-vlan)# private-vlan community
          Switch(config-vlan)# exit
          Switch(config)# vlan 20
          Switch(config-vlan)# private-vlan association 501-503
          Switch(config-vlan)# end
          Switch(config)# show vlan private vlan
          
          Primary Secondary Type Ports
          ------- --------- ----------------- ------------------------------------------
          20 501 isolated
          20 502 community
          20 503 community
          20 504 non-operational
          
          
          関連コンセプト

          Example: Configuring an Interface as a Host Port

          This example shows how to configure an interface as a private VLAN host port, associate it with a private VLAN pair, and verify the configuration:

          
          Switch# configure terminal
          Switch(config)# interface gigabitethernet1/0/22
          Switch(config-if)# switchport mode private-vlan host
          Switch(config-if)# switchport private-vlan host-association 20 501
          Switch(config-if)# end
          Switch# show interfaces gigabitethernet1/0/22 switchport
          Name: Gi1/0/22
          Switchport: Enabled
          Administrative Mode: private-vlan host
          Operational Mode: private-vlan host
          Administrative Trunking Encapsulation: negotiate
          Operational Trunking Encapsulation: native
          Negotiation of Trunking: Off
          Access Mode VLAN: 1 (default)
          Trunking Native Mode VLAN: 1 (default)
          Administrative Native VLAN tagging: enabled
          Voice VLAN: none
          Administrative private-vlan host-association: 20 501
          Administrative private-vlan mapping: none
          Administrative private-vlan trunk native VLAN: none
          Administrative private-vlan trunk Native VLAN tagging: enabled
          Administrative private-vlan trunk encapsulation: dot1q
          Administrative private-vlan trunk normal VLANs: none
          Administrative private-vlan trunk private VLANs: none
          Operational private-vlan:
          20 501
          
          <output truncated>
          
          
          関連コンセプト

          Example: Configuring an Interface as a Private VLAN Promiscuous Port

          This example shows how to configure an interface as a private VLAN promiscuous port and map it to a private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.

          
          Switch# configure terminal
          Switch(config)# interface gigabitethernet1/0/2
          Switch(config-if)# switchport mode private-vlan promiscous
          Switch(config-if)# switchport private-vlan mapping 20 add 501-503
          Switch(config-if)# end
          
          
          関連コンセプト

          Example: Mapping Secondary VLANs to a Primary VLAN Interface

          This example shows how to map the interfaces fo VLANs 501 and 502 to primary VLAN 10, which permits routing of secondary VLAN ingress traffic from private VLANs 501 and 502:

          
          Switch# configure terminal
          Switch(config)# interface vlan 10
          Switch(config-if)# private-vlan mapping 501-502
          Switch(config-if)# end
          Switch# show interfaces private-vlan mapping
          Interface Secondary VLAN Type
          --------- -------------- -----------------
          vlan10    501            isolated
          vlan10    502            community
          
          

          Example: Monitoring Private VLANs

          This example shows output from the show vlan private-vlan command:

          
          Switch(config)# show vlan private-vlan
          Primary Secondary Type              Ports
          ------- --------- ----------------- ------------------------------------------
          10      501       isolated          Gi2/0/1, Gi3/0/1, Gi3/0/2
          10      502       community         Gi2/0/11, Gi3/0/1, Gi3/0/4
          10      503       non-operational
          
          

          Where to Go Next

          You can configure the following:

          • VTP

          • VLANs

          • VLAN trunking

          • VLAN Membership Policy Server (VMPS)

          • Tunneling

          • Voice VLANs

          Additional References

          Related Documents

          Related Topic Document Title

          For complete syntax and usage information for the commands used in this chapter.

          Catalyst 2960-XR Switch VLAN Management Command Reference

          Standards and RFCs

          Standard/RFC Title

          MIBs

          MIB MIBs Link

          All supported MIBs for this release.

          To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          Technical Assistance

          Description Link

          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​support

          Feature History and Information for Private VLANs

          Release Modification

          Cisco IOS 15.0(2)EX1

          This feature was introduced.