Table Of Contents
Configuring Private VLANs
Information About Private VLANs
Private VLAN Overview
Primary and Secondary VLANs in Private VLANs
Private VLAN Ports
Primary, Isolated, and Community Private VLANs
Associating Primary and Secondary VLANs
Broadcast Traffic in Private VLANs
Private VLAN Port Isolation
Private VLANs and VLAN Interfaces
Private VLANs Across Multiple Devices
High Availability
Virtualization Support
Licensing Requirements for Private VLANs
Prerequisites for Private VLANs
Guidelines and Limitations
Secondary and Primary VLAN Configuration
Private VLAN Port Configuration
Limitations with Other Features
Configuring a Private VLAN
Guidelines for Configuring Private VLANs
Enabling Private VLANs
Configuring a VLAN as a Private VLAN
Associating Secondary VLANs with a Primary Private VLAN
Mapping Secondary VLANs to the VLAN Interface of a Primary VLAN
Configuring Private VLAN Host and Promiscuous Ports
Displaying Private VLAN Statistics
Field Descriptions
Additional References
Related Documents
Standards
MIBs
Feature History for Configuring Private VLANs
Configuring Private VLANs
For more information about the Data Center Network Manager features, see the Cisco DCNM Fundamentals Configuration Guide.
This chapter describes how to configure private VLANs. Private VLANs provide additional protection at the Layer 2 level.
This chapter includes the following topics:
•
Information About Private VLANs
•Licensing Requirements for Private VLANs
•Prerequisites for Private VLANs
•Guidelines and Limitations
•Configuring a Private VLAN
•Displaying Private VLAN Statistics
•Field Descriptions
•Additional References
•Feature History for Configuring Private VLANs
Note See the Cisco DCNM Interfaces Configuration Guide for information on IP addressing for VLAN network interfaces.
Information About Private VLANs
Note A Layer 2 port can function as either a trunk port, an access port, or a private VLAN port.
Note You must enable the private VLAN feature before you can configure this feature.
In certain instances where similar systems do not need to interact directly, private VLANs provide additional protection at the Layer 2 level. Private VLANs are an association of primary and secondary VLANs.
A primary VLAN defines the broadcast domain with which the secondary VLANs are associated. The secondary VLANs may either be isolated VLANs or community VLANs. (See the "Secondary and Primary VLAN Configuration" section for more information on isolated and community VLANs.) Hosts on isolated VLANs communicate only with associated promiscuous ports in primary VLANs, and hosts on community VLANs communicate only among themselves and with associated promiscuous ports but not with isolated ports or ports in other community VLANs. (See the "Private VLAN Port Configuration" section for more information on private VLAN port types.)
In configurations that use integrated switching and routing functions, you can assign a single Layer 3 VLAN network interface to each private VLAN to provide routing. The VLAN network interface is created for the primary VLAN. In such configurations, all secondary VLANs communicate at Layer 3 only through a mapping with the VLAN network interface on the primary VLAN. Any VLAN network interfaces previously created on the secondary VLANs are put out-of-service.
This section includes the following topics:
•Private VLAN Overview
•High Availability
•Virtualization Support
Private VLAN Overview
You must enable private VLANs before the device can apply the private VLAN functionality.
This section includes the following topics:
•Primary and Secondary VLANs in Private VLANs
•Private VLAN Ports
•Primary, Isolated, and Community Private VLANs
•Associating Primary and Secondary VLANs
•Broadcast Traffic in Private VLANs
•Private VLAN Port Isolation
•Private VLANs and VLAN Interfaces
•Private VLANs Across Multiple Devices
Primary and Secondary VLANs in Private VLANs
The private VLAN feature addresses two problems that users encounter when using VLANs:
•Each VDC supports up to 4096 VLANs. If a user assigns one VLAN per customer, the number of customers that the service provider can support is limited.
•To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses and creating IP address management problems.
Using private VLANs solves the scalability problem and provides IP address management benefits and Layer 2 security for customers.
The private VLAN feature allows you to partition the Layer 2 broadcast domain of a VLAN into subdomains. A subdomain is represented by a pair of private VLANs: a primary VLAN and a secondary VLAN. A private VLAN domain can have multiple private VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.
Note A private VLAN domain has only one primary VLAN.
Secondary VLANs provide Layer 2 isolation between ports within the same. The following two types are secondary VLANs within a primary VLAN:
•Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
•Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.
Private VLAN Ports
Note Both community and isolated private VLAN ports are labeled PVLAN host ports. A PVLAN host port is either a community PVLAN port or an isolated PVLAN port depending on the type of secondary VLAN with which it is associated.
The types of private VLAN ports are as follows:
•Promiscuous—A promiscuous port belongs to the primary VLAN. The pomiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN. You may want to do this association for load-balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port, but these secondary VLANs cannot communicate to the Layer 3 interface.
•Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete Layer 2 isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN, and each port is completely isolated from all other ports in the isolated VLAN.
•Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from all isolated ports within the private VLAN domain.
Note Because trunks can support the VLANs that carry traffic between promiscuous, isolated, and community ports, the isolated and community port traffic might enter or leave the device through a trunk interface.
Primary, Isolated, and Community Private VLANs
Because the primary VLAN has the Layer 3 gateway, you associate secondary VLANs with the primary VLAN in order to communicate outside the private VLAN. Primary VLANs and the two types of secondary VLANs, isolated VLANs and community VLANs, have these characteristics:
•Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
•Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the Layer 3 gateway. You can configure multiple isolated VLANs in a private VLAN domain, and all the traffic remains isolated within each one. In addition, each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
•Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.
Figure 3-1 shows the Layer 2 traffic flows within a primary, or private VLAN, along with the types of VLANs and types of ports.
Figure 3-1 Private VLAN Layer 2 Traffic Flows
Note The private VLAN traffic flows are unidirectional from the host ports to the promiscuous ports. Traffic that egresses the promiscuous port acts like the traffic in a normal VLAN, and there is no traffic separation among the associated secondary VLAN.
A promiscuous port can serve only one primary VLAN, but it can serve multiple isolated VLANs and multiple community VLANs. (Layer 3 gateways are connected typically to the device through a promiscuous port.) With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private VLAN servers from an administration workstation.
Although you can have several promiscuous ports in a primary VLAN, you can have only one Layer 3 gateway per primary VLAN.
In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.
Note You must enable the VLAN network interface feature before you can configure the Layer 3 gateway. See the Cisco DCNM Interface Configuration Guide for complete information on VLAN network interfaces and IP addressing.
Associating Primary and Secondary VLANs
To allow the host ports in secondary VLANs to communicate outside the private VLAN, you associate secondary VLANs to the primary VLAN. If the association is not operational, the host ports (isolated and community ports) in the secondary VLAN are brought down.
Note You can associate a secondary VLAN with only one primary VLAN.
For an association to be operational, the following conditions must be met:
•The primary VLAN must exist.
•The secondary VLAN must exist.
•The primary VLAN must be configured as a primary VLAN.
•The secondary VLAN must be configured as either an isolated or community VLAN.
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive. When you reconvert the specified VLAN to private VLAN mode, the original associations are reinstated.
In order to change the association between a secondary and primary VLAN, you must first remove the current association and then add the desired association.
Broadcast Traffic in Private VLANs
Broadcast traffic from ports in a private VLAN flows in the following ways:
•The broadcast traffic flows from a promiscuous port to all ports in the primary VLAN. This broadcast traffic is distributed to all ports within the primary VLAN, including those ports that are not configured with private VLAN parameters.
•The broadcast traffic from an isolated port is distributed only to those promiscuous ports in the primary VLAN that are associated to that isolated port.
•The broadcast traffic from community ports is distributed to all ports within the port's community and to all promiscuous ports that are associated to the community port. The broadcast packets are not distributed to any other communities within the primary VLAN or to any isolated ports.
Private VLAN Port Isolation
You can use private VLANs to control access to end stations as follows:
•Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.
•Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.
Private VLANs and VLAN Interfaces
A VLAN interface to a Layer 2 VLAN is also called a switched virtual interface (SVI). Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs.
Configure VLAN network interfaces only for primary VLANs. Do not configure VLAN interfaces for secondary VLANs. VLAN network interfaces for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN. You will see the following actions if you misconfigure the VLAN interfaces:
•If you try to configure a VLAN with an active VLAN network interface as a secondary VLAN, the configuration is not allowed until you disable the VLAN interface.
•If you try to create and enable a VLAN network interface on a VLAN that is configured as a secondary VLAN, that VLAN interface remains disabled, and the system returns an error.
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLANs. For example, if you assign an IP subnet to the VLAN network interface on the primary VLAN, this subnet is the IP subnet address of the entire private VLAN.
Note You must enable the VLAN interface feature before you configure VLAN interfaces. See the Cisco DCNM Interfaces Configuration Guide book for information on VLAN interfaces and IP addressing.
Private VLANs Across Multiple Devices
You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other uses of the VLANs configured to be private VLANs, configure private VLANs on all intermediate devices too, including devices that have no private VLAN ports.
High Availability
The software supports high availability for both stateful and stateless restarts, as during a cold reboot, for private VLANs. For the stateful restarts, The software supports a maximum of 3 retries; if you try more than 3 times within 10 seconds of a restart, the software reloads the supervisor module.
You can upgrade or downgrade the software seamlessly, with respect to private VLANs.
Note See the Cisco NX-OS High Availability and Redundancy Configuration Guide for complete information on high-availability features.
Virtualization Support
The software supports virtual device contexts (VDCs).
Note See the Cisco DCNM Virtual Device Context Configuration Guide for complete information on VDCs and assigning resources.
Each VLAN must have all of its private VLAN ports for both the primary VLAN and all secondary VLANs in the same VDC. Private VLANs cannot cross VDCs.
Licensing Requirements for Private VLANs
The following table shows the licensing requirements for this feature:
Product
|
License Requirement
|
DCNM
|
Private VLANs require no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you. For a complete explanation of the DCNM licensing scheme, see the Cisco DCNM Licensing Guide.
|
NX-OS
|
Private VLANs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
|
However, using VDCs requires an Advanced Services license.
Prerequisites for Private VLANs
The following are prerequisites for configuring private VLANs:
•You must be logged onto the device.
•If necessary, install the Advanced Services license and enter the desired VDC.
•You must enable the private VLAN feature.
Guidelines and Limitations
The guidelines for configuring private VLANs are described in the following topics:
•Secondary and Primary VLAN Configuration
•Private VLAN Port Configuration
•Limitations with Other Features
Secondary and Primary VLAN Configuration
Follow these guidelines when configuring private VLANs:
•You cannot configure the default VLAN (VLAN1) or any of the internally allocated VLANs as primary or secondary VLANs.
•A primary VLAN can have multiple isolated and community VLANs associated with it. An isolated or community VLAN can be associated with only one primary VLAN.
•Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.
•When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN, such as bridge priorities, are propagated to the secondary VLAN. However, STP parameters do not necessarily propagate to other devices. You should manually check the STP configuration to ensure that the spanning tree topologies for the primary, isolated, and community VLANs match exactly so that the VLANs can properly share the same forwarding database.
•For normal trunk ports, note the following:
–There is a separate instance of STP for each VLAN in the private VLAN.
–STP parameters for the primary and all secondary VLANs must match.
–The primary and all associated secondary VLANs should be in the same MST instance.
•For nontrunking ports, note the following:
–STP is aware only of the primary VLAN for any private VLAN host port; STP does not run on secondary VLANs on a host port.
Note We recommend that you enable BPDU Guard on all ports you configure as a host port; do not enable this feature on promiscuous ports. See Chapter 6, "Configuring STP Extensions" for information on BPDU Guard configuration.
•You can apply different Quality of Service (QoS) configurations to primary, isolated, and community VLANs.
•To apply a VACL to all private VLAN traffic, map the secondary VLANs on the VLAN network interface of the primary VLAN, and then configure the VACLs on the VLAN network interface of the primary VLAN.
•The VACLs that you apply to the VLAN network interface of a primary VLAN automatically apply to the associated isolated and community VLANs only after you have configured the mapping.
•If you do not map the secondary VLAN to the VLAN network interface of the primary VLAN, you can have different VACLs for primary and secondary VLANs, which can cause problems.
•Because traffic in a private VLAN flows in different directions in different VLANs, you can have different VACLs for ingressing traffic and different VACLs for egressing traffic prior to configuring the mapping.
Note You must keep the same VACLs for the primary VLAN and all secondary VLANs in the private VLAN.
•You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary VLAN, the DHCP configuration is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured.
•Before you configure a VLAN as a secondary VLAN, you must shut down the VLAN network interface for the secondary VLAN.
•To prevent interhost communication in isolated private VLANs with a promiscuous port, configure a role-based ACL (RBACL) that disallows hosts in that subnet from communicating with each other.
Private VLAN Port Configuration
Follow these guidelines when configuring private VLAN ports:
•The Layer 2 access ports that are assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2 trunk interfaces, which may carry private VLANs, are active and remain part of the STP database.
•Do not configure ports that belong to a port-channel group as private VLAN ports. While a port is part of the private VLAN configuration, any port-channel configuration for it is inactive.
•If you delete a VLAN used in the private VLAN configuration, the private VLAN ports that are associated with the VLAN become inactive.
Limitations with Other Features
Consider these configuration limitations with other features when configuring private VLANs:
Note In some cases, the configuration is accepted with no error messages, but the commands have no effect.
•IGMP runs only on the primary VLAN and uses the configuration of the primary VLAN for all secondary VLANs.
•Any IGMP join request in the secondary VLAN is treated as if it is received in the primary VLAN.
•Private VLANs support these Switched Port Analyzer (SPAN) features:
–You can configure a private VLAN port as a SPAN source port.
–You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to separately monitor egress or ingress traffic.
•A private VLAN host or promiscuous port cannot be a SPAN destination port.
•A destination SPAN port cannot be an isolated port. (However, a source SPAN port can be an isolated port.)
•You can configure SPAN to span both primary and secondary VLANs or to span either one if the user is interested only in ingress or egress traffic.
•After you configure the association between the primary and secondary VLANs, the dynamic MAC addresses learned the secondary VLANs are flushed.
•After you configure the association between the primary and secondary VLANs, all static MAC addresses that were created on the secondary VLANs are inserted into the primary VLAN. If you delete the association, the static MAC addresses revert to the secondary VLANs only.
•After you configure the association between the primary and secondary VLANs, you cannot create static MAC addresses for the secondary VLANs.
•After you configure the association between the primary and secondary VLANs, if you delete the association all static MAC addresses that were created on the primary VLANs remain on primary VLAN only.
•Port security features are not supported with private VLANs.
Note See the Cisco DCNM Security Configuration Guide for information on configuring static MAC addresses.
Configuring a Private VLAN
This section includes the following topics:
•Guidelines for Configuring Private VLANs
•Enabling Private VLANs
•Configuring a VLAN as a Private VLAN
•Associating Secondary VLANs with a Primary Private VLAN
•Mapping Secondary VLANs to the VLAN Interface of a Primary VLAN
•Configuring Private VLAN Host and Promiscuous Ports
Note See the Cisco DCNM Interfaces Configuration Guide for information on assigning IP addresses to VLAN network interfaces.
Guidelines for Configuring Private VLANs
•You must enable private VLANs before the device can apply the private VLAN functionality.You must enable the VLAN interface feature before the device can apply this functionality.
•Shut down the VLAN network interface for all VLANs that you plan to configure as secondary VLANs before you configure these VLANs.
•Review the "Guidelines and Limitations" section before you begin configuring a private VLAN feature.
Enabling Private VLANs
You must enable private VLANs on the device to run the private VLAN functionality.
You enable private VLANs on the device using the VLAN pane (see Figure 3-2).
Figure 3-2 Configuring Private VLANs
DETAILED STEPS
To enable private VLAN functionality on the device, follow these steps:
Step 1 From the Feature Selector pane, choose Switching > VLAN to open the VLAN pane.
Step 2 In the Summary pane, click the Device View tab.
Step 3 In the Summary pane, click the device in which you want to create a VLAN.
Step 4 On the device, right-click and choose Enable Private VLAN Conditional Services from the drop-down list.
Step 5 (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Configuring a VLAN as a Private VLAN
Note Before you configure a VLAN as a secondary VLAN—that is, either a community or isolated VLAN—you must first shut down the VLAN network interface.
You can configure a VLAN as a private VLAN.
You create all VLANs that you want to use in the private VLAN as a primary VLAN, a community VLAN, or an isolated VLAN. You will later associate multiple isolated and multiple community VLANs to one primary VLAN. You can have many primary VLANs and associations, which means that you could have many private VLANs.
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive.
Note Ensure that private VLANs are enabled.
You create and associate private VLANs using the VLAN pane (see Figure 3-2).
DETAILED STEPS
To create a private VLAN, follow these steps:
Step 1 From the Feature Selector pane, choose Switching > VLAN to open the VLAN pane.
Step 2 In the Summary pane, click the Device View tab.
Step 3 In the Summary pane, click the device in which you want to create a VLAN.
Step 4 On the menu, click New.
Step 5 From the drop-down list, choose Primary VLAN, Community VLAN, or Isolated VLAN.
Step 6 In the VLAN ID column, enter the ID for the new VLAN.
The VLAN is immediately created on the device with default settings.
Step 7 (Optional) To change the name of the VLAN, click in the Name column and enter the name that you want.
Step 8 (Optional) From the menu bar, choose VLAN > Delete to delete the specified VLAN.
The system returns a message asking if you want to delete these VLANs. When you click Yes, those VLANs are immediately removed from the device.
Step 9 (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Associating Secondary VLANs with a Primary Private VLAN
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive.
When you reconvert the specified VLAN to private VLAN mode, the original associations are reinstated.
You associate secondary VLANs with primary VLANs. Community and isolated VLANs are secondary VLANs, and each secondary VLAN must be associated with a primary VLAN. You can have many primary VLANs and associations, which means that you could have many private VLANs.
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive. To change the existing association, you first remove the present association and then configure the new association.
You associate private VLANs using the VLAN pane (see Figure 3-3).
Figure 3-3 Associating a Secondary VLAN with a Private VLAN
DETAILED STEPS
Note You must create the secondary VLAN before you can associate the secondary and primary VLANs.
To associate secondary VLANs with a primary VLAN, follow these steps:
Step 1 From the Feature Selector pane, choose Switching > VLAN to open the VLAN pane.
Step 2 In the Summary pane, click the Device View tab.
Step 3 In the Summary pane, click the device in which you want to associate a VLAN.
Step 4 In the Summary pane, click the primary VLAN.
Tabs appear in the Details pane.
Step 5 Click the VLAN Details tab,
Step 6 Click the VLAN Settings section.
Step 7 Right-click the Secondary VLANs area and enter the secondary VLAN that you want associated with this primary VLAN.
The Secondary VLANs area displays the VLAN ID and the VLAN type of each associated secondary VLAN.
Step 8 (Optional) To add additional secondary VLANs to the primary VLAN, repeat Steps 4 through 7.
Step 9 (Optional) To delete secondary VLANs from the primary VLAN, click the Secondary VLANs area and select the VLAN that you want to remove from associating with the primary VLAN. Right-click the mouse and click Delete Secondary VLAN.
Step 10 (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Mapping Secondary VLANs to the VLAN Interface of a Primary VLAN
You map secondary VLANs to the VLAN interface of a primary VLAN. Isolated and community VLANs are both called secondary VLANs. To allow Layer 3 processing of private VLAN ingress traffic, you map secondary VLANs to the VLAN network interface of a primary VLAN.
Note You must enable VLAN network interfaces before you configure the VLAN network interface. VLAN network interfaces on community or isolated VLANs that are associated with a primary VLAN will be out of service. Only the VLAN network interface on the primary VLAN is in service.
You enter the VLAN pane to add the VLAN network interface for the primary VLAN and associate the VLAN network interface with secondary VLANs (see Figure 3-3).
DETAILED STEPS
Note Before you configure a VLAN as a secondary VLAN—that is, either a community or isolated VLAN—you must first shut down the VLAN network interface for that VLAN.
To set the VLAN network interface for the primary VLAN and associate secondary VLANs, follow these steps:
Step 1 From the Feature Selector pane, choose Switching > VLAN to open the VLAN pane.
Step 2 In the Summary pane, click the Device View tab.
Step 3 In the Summary pane, click the primary VLAN.
Step 4 From the menu bar, choose VLAN > Add VLAN Network Interface.
A window appears in the VLAN Settings section of the VLAN Details tab that allows you to configure the VLAN network interface.
Step 5 In the Description field, enter a description for the VLAN network interface.
Step 6 In the IP Address field, enter an IP address for the VLAN network interface.
Step 7 In the Netmask field, enter the netmask for the VLAN network interface.
Step 8 In the Admin State field, choose Up or Down from the drop-down list.
Step 9 (Optional) In the VLAN Network Interface area, click the drop-down list in the Secondary VLANs field and choose the associated secondary VLANs to add to the VLAN network interface of the primary VLAN.
Step 10 (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Configuring Private VLAN Host and Promiscuous Ports
You can configure private VLAN host ports and private VLAN promiscuous ports. In private VLANs, host ports are part of the secondary VLANs, which are either community VLANs or isolated VLANs. You can configure a Layer 2 interface as a private VLAN promiscuous port, and then you can associate that promiscuous port with the primary and secondary VLANs.
Note We recommend that you enable BPDU Guard on all interfaces configured as a host port.
You configure private VLAN ports using the Ethernet pane (see Figure 3-4).
Figure 3-4 Configuring Private VLAN Hosts
DETAILED STEPS
To configure host and promiscuous private VLAN ports, follow these steps:
Step 1 From the Feature Selector pane, choose Interfaces > Physical > Ethernet to open the Ethernet pane.
Step 2 From the Contents pane, in the Summary pane, double-click the device to display the interfaces.
Step 3 Double-click the slot to display the list of interfaces.
Step 4 Click the interface.
The system highlights the interface in the Summary pane, and tabs appear in the Details pane.
Step 5 In the Details pane, click the Port Details tab.
Step 6 Click the Port Mode Settings section.
Step 7 From the Mode drop-down list, choose PVLAN Host or PVLAN Promiscuous to configure the port as an access port.
Step 8 Click the Secondary VLAN drop-down list, and choose the secondary VLANs that you want to configure for this interface.
The Secondary VLAN window displays the configured secondary VLANs and primary VLAN with which each secondary VLAN is associated. When you choose the secondary VLAN, the system automatically populates the Primary VLAN field.
Step 9 (Optional) From the menu bar, choose File > Deploy to apply your changes to the device.
Displaying Private VLAN Statistics
The following window appears in the Statistics tab:
•VLAN Traffic Statistics—Displays information on private VLAN traffic such as Layer 2 unicast, multicast, and broadcast traffic, Layer 3 unicast and multicast traffic, and so forth.
Field Descriptions
See the Cisco DCNM Interfaces Configuration Guide for descriptions of the fields that you use to configure private VLAN ports.
See Chapter 2, "Configuring VLANs" for descriptions of the fields that you use to configure the private VLANs.
Additional References
For additional information related to implementing private VLANs, see the following sections:
•Related Documents
•Standards
•MIBs
Related Documents
Related Topic
|
Document Title
|
VLANs
|
Chapter 2, "Configuring VLANs"
|
STP Extensions
|
Chapter 6, "Configuring STP Extensions"
|
NX-OS Layer 2 switching configuration
|
Cisco NX-OS Layer 2 Switching Configuration Guide
|
VLAN interfaces, IP addressing
|
Cisco DCNM Interfaces Configuration Guide
|
Static MAC addresses, security
|
Cisco DCNM Security Configuration Guide
|
DCNM fundamentals
|
Cisco DCNM Fundamentals Configuration Guide
|
High availability
|
Cisco NX-OS High Availability and Redundancy Guide
|
System management
|
Cisco NX-OS System Management Configuration Guide
|
VDCs
|
Cisco DCNM Virtual Device Context Configuration Guide
|
Licensing
|
Cisco DCNM Licensing Guide
|
Release notes
|
Cisco DCNM Release Notes, Release 4.0
|
Standards
Standards
|
Title
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
|
—
|
MIBs
Feature History for Configuring Private VLANs
Table 3-1 lists the release history for this feature.
Table 3-1 Feature History for Configuring Private VLANs
Feature Name
|
Releases
|
Feature Information
|
There are no changes.
|
4.1(2)
|
|
