Configuring Private Vlans on a Catalyst Switch that runs Cisco IOS Software
|
|
|
|
Introduction
A PVLAN is a VLAN with configuration for Layer 2 isolation from other
ports within the same broadcast domain or IP subnet. You can assign a specific
set of ports within a PVLAN and thereby control access among the ports at Layer
2.
This document describes the procedure to configure Private VLANs on
your Catalyst switch. This document applies to Catalyst 3560, 3750 and 4500
model switches running Cisco IOS® Software.
Back to Top
Overview
In some situations, you need to prevent Layer 2 (L2) connectivity
between end devices on a switch without placing the devices in different IP
subnets. This setup prevents the wastage of IP addresses. Private VLANs
(PVLANs) allow the isolation at Layer 2 of devices in the same IP subnet. You
can also restrict some ports on the switch to reach only specific ports that
have a default gateway, backup server, or Cisco LocalDirector attached. Private
VLANs partition a regular VLAN domain into subdomains and can have multiple
VLAN pairs one for each subdomain. A subdomain is represented by a primary VLAN
and a secondary VLAN. Isolated and community VLANs are both secondary
VLANs.
There are three types of PVLAN ports: promiscuous, isolated, and
community.
-
Promiscuous—A promiscuous port belongs to the primary VLAN and can
communicate with all interfaces, including the community and isolated host
ports that belong to the secondary VLANs associated with the primary VLAN. The
promiscuous port is the port that you typically use to communicate with
external routers, LocalDirectors, network management devices, backup servers,
administrative workstations, and other devices.
-
Isolated—An isolated port is a host port that belongs to an isolated
secondary VLAN. It has complete Layer 2 separation from other ports within the
same private VLAN, except for the promiscuous ports. Private VLANs block all
traffic to isolated ports except traffic from promiscuous ports. Traffic
received from an isolated port is forwarded only to promiscuous ports.
-
Community—A community port is a host port that belongs to a
community secondary VLAN. Community ports communicate with other ports in the
same community VLAN and with promiscuous ports. These interfaces are isolated
at Layer 2 from all other interfaces in other communities and from isolated
ports within their private VLAN.
Back to Top
Requirements
To perform the steps described in this document, you need to have this
equipment:
Back to Top
Rules and Limitations
This section provides some rules and limitations for which you must
observe when you implement PVLANs.
-
PVLANs must not include VLANs 1 or 1002–1005.
-
You must set VLAN Trunk Protocol (VTP) mode to
transparent.
-
A primary VLAN can have one isolated VLAN and multiple community
VLANs associated with it. An isolated or community VLAN can have only one
primary VLAN associated with it.
-
You can only designate a VLAN as a PVLAN if that VLAN has no current
access port assignments. Remove any ports in that VLAN before you make the VLAN
a PVLAN.
-
Do not configure PVLAN ports as EtherChannels.
-
If you delete a VLAN that you use in the PVLAN configuration, the
ports that associate with the VLAN become inactive.
-
Configure Layer 3 (L3) VLAN interfaces only for the primary VLANs.
VLAN interfaces for isolated and community VLANs are inactive while the VLAN
has an isolated or community VLAN configuration.
-
You can extend PVLANs across switches with the use of trunks.
-
You must manually enter the same PVLAN configuration on every switch
with involvement because VTP in transparent mode does not propagate this
information.
Back to Top
Connect your PC to the Switch
Follow these steps to connect your PC to the Switch:
-
Connect a PC to the switch with a console cable.
-
Create a HyperTerminal connection to your switch. For more
information, refer to
Create a
HyperTerminal Connection.
-
Log into the switch with the login and password that you entered in
fields B10 and B11 of the switch Worksheet.
Username:admin
Password:
Note: If you do not know the password for your switch, refer to
Manually
Reset the Password on a Catalyst Switch.
-
Type enable and press Enter to
access the privileged mode. Type the enable password that you entered in field
S5 of the Switch Port Assignment Worksheet.
switch>enable
Password:
switch#
Back to Top
Network Diagram
This diagram gives you a topology of Private VLAN configuration. The
Catalyst 3560 switch has VLAN 50 designated as Primary VLAN, VLAN 100
designated as Secondary Isolated VLAN and VLAN 101 as Secondary Community VLAN.
Hosts in Isolated VLAN and Community VLAN can communicate with the host on port
Fast Ethernet 0/7 configured as a promiscuous port.
Back to Top
Configure Private VLANs on your Catalyst Switch (Cisco IOS)
Follow these steps to configure Private VLANs on you Catalyst switch
which runs Cisco IOS software:
Configure Primary, Isolated and Community VLANs
Follow these steps to configure primary, isolated and community
vlans:
-
Type configure terminal and press
Enter to enter the switch configuration mode.
switch#configure terminal
switch(config)#
-
Type vtp mode transparent and press
Enter.
switch(config)#vtp mode transparent
switch(config)#
-
Type vlan vlan-id and press Enter
to enter VLAN configuration mode and create a Primary VLAN. The VLAN ID range
is 2 to 1001 and 1006 to 4094.
switch(config)#vlan 50
switch(config-vlan)#
-
Type private-vlan primary and press
Enter to designate the VLAN as the Primary VLAN.
switch(config-vlan)#private-vlan primary
switch(config-vlan)#
-
Type name primary-vlan and press
Enter.
switch(config-vlan)#name primary-vlan
switch(config-vlan)#
-
Type exit and press Enter to exit
VLAN configuration mode.
switch(config-vlan)#exit
switch(config)#
-
Type vlan vlan-id and press Enter
to enter VLAN configuration mode and create a Secondary Isolated VLAN. The VLAN
ID range is 2 to 1001 and 1006 to 4094.
switch(config)#vlan 100
switch(config-vlan)#
-
Type private-vlan isolated and press
Enter to designate the VLAN as the Isolated VLAN.
switch(config-vlan)#private-vlan isolated
switch(config-vlan)#
-
Type name isolated-vlan and press
Enter.
switch(config-vlan)#name isolated-vlan
switch(config-vlan)#
-
Type exit and press Enter to exit
VLAN configuration mode.
switch(config-vlan)#exit
-
Type vlan vlan-id and press Enter
to enter VLAN configuration mode and create a Secondary Community VLAN. The
VLAN ID range is 2 to 1001 and 1006 to 4094.
switch(config)#vlan 101
switch(config-vlan)#
-
Type private-vlan community and press
Enter to designate the VLAN as the Community VLAN.
switch(config-vlan)#private-vlan community
switch(config-vlan)#
-
Type name community-vlan and press
Enter.
switch(config-vlan)#name community-vlan
switch(config-vlan)#
-
Type exit and press Enter to exit
VLAN configuration mode.
switch(config-vlan)#exit
switch(config)#
-
Type vlan 50 and press Enter to
get into primary VLAN.
switch(config)#vlan 50
switch(config-vlan)#
-
Type private-vlan association
secondary_vlan-id_list and press Enter to associate
the secondary VLANs (isolated and community) with the primary VLAN.
switch(config-vlan)#private-vlan association 100,101
switch(config-vlan)#
Note: The secondary_vlan-id_list parameter can contain multiple
community VLAN IDs but only one isolated VLAN ID. The secondary_vlan-id_list
parameter must not contain spaces. It can contain multiple comma-separated
items. Each item can be a single private-VLAN ID or a hyphenated range of
private-VLAN IDs
-
Type end and press Enter.
switch(config-vlan)#end
switch#
-
Type show vlan private-vlan and press
Enter to verify the private vlans you have configured.
switch#show vlan private-vlan
Primary Secondary Type Ports
---------- -------------- ----------------- ------------------------
50 100 isolated
50 101 community
-
Type write memory and press Enter
to save your configuration in the switch startup configuration file
switch#write memory
Assign Ports as a Private-VLAN Host Port
Configure the host ports on all the appropriate switches. As given in
the Network Diagram the port FastEthernet 0/20
is an isolated port and part of Secondary Isolated VLAN 100 and ports
FastEthernet 0/15 and FastEthernet 0/16 are community ports and belongs to
Secondary Community VLAN 101.
Follow these steps to configure layer 2 switch ports as a private-vlan
host port:
-
Type configure terminal and press
Enter to enter the switch configuration mode.
switch#configure terminal
switch(config)#
-
Type interface interface-id and press
Enter to enter interface configuration mode for port to be
configured.
switch(config)#interface fastEthernet 0/20
switch(config-if)#
-
Type switchport mode private-vlan host and press
Enter to configure the port as a private-VLAN host
port.
switch(config-if)#switchport mode private-vlan host
switch(config-if)#
-
Type switchport private-vlan host-association
primary_vlan_id secondary_vlan_id and press Enter to
associate the Layer 2 port with a private VLAN. In this step the association is
between the primary-vlan 50 and the secondary isolated VLAN 100.
switch(config-if)#switchport private-vlan host-association 50 100
-
Type exit and press Enter to exit
VLAN interface configuration mode.
switch(config-if)#exit
switch(config)#
-
Type interface interface-id and press
Enter to enter interface configuration mode for the Layer 2
interface to be configured.
switch(config)#interface fastEthernet 0/15
switch(config-if)#
-
Type switchport mode private-vlan host and press
Enter to configure the Layer 2 port as a private-VLAN host
port.
switch(config-if)#switchport mode private-vlan host
switch(config-if)#
-
Type switchport private-vlan host-association
primary_vlan_id secondary_vlan_id and press Enter to
associate the Layer 2 port with a private VLAN. In this step the host port
association is between the primary-vlan 50 and the secondary community VLAN
101.
switch(config-if)#switchport private-vlan host-association 50 101
-
Type exit and press Enter to exit
VLAN configuration mode.
switch(config-if)#exit
switch(config)#
-
Type interface interface-id and press
Enter to enter interface configuration mode for the Layer 2
interface to be configured.
switch(config)#interface fastEthernet 0/16
switch(config-if)#
-
Type switchport mode private-vlan host and press
Enter to configure the Layer 2 port as a private-VLAN host
port.
switch(config-if)#switchport mode private-vlan host
switch(config-if)#
-
Type switchport private-vlan host-association
primary_vlan_id secondary_vlan_id and press Enter to
associate the Layer 2 port with a private VLAN. In this step, the host port
association is between the primary-vlan 50 and the secondary community VLAN
101.
switch(config-if)#switchport private-vlan host-association 50 101
-
Type end and press Enter.
switch(config-if)#end
switch#
-
Type show interfaces [interface-id] switchport to
verify the configuration of host port.
switch#show interfaces fastethernet0/20 switchport
Name:Fa0/20
Switchport:Enabled
Administrative Mode:private-vlan host
Operational Mode:private-vlan host
Administrative Trunking Encapsulation:negotiate
Operational Trunking Encapsulation:native
Negotiation of Trunking:Off
Access Mode VLAN:1 (default)
Trunking Native Mode VLAN:1 (default)
Administrative Native VLAN tagging:enabled
Voice VLAN:none
Administrative private-vlan host-association:50 (VLAN0050) 100 (VLAN0100)
Administrative private-vlan mapping:none
Administrative private-vlan trunk native VLAN:none
Administrative private-vlan trunk Native VLAN tagging:enabled
Administrative private-vlan trunk encapsulation:dot1q
Administrative private-vlan trunk normal VLANs:none
Administrative private-vlan trunk private VLANs:none
Operational private-vlan:50 (VLAN0050) 100 (VLAN0100)
-
Type write memory and press Enter
to save your configuration in the switch startup configuration file.
switch#write memory
Assign Ports as a Private-VLAN Promiscuous Port
A promiscuous port belongs to the primary VLAN and can communicate with
all interfaces, including the community and isolated host ports that belong to
the secondary VLANs associated with the primary VLAN. Configure the promiscuous
port on one of the switches. As given in the Network Diagram the port
FastEthernet 0/7 is configured as a Promiscuous port.
Follow these steps to configure layer 2 switch ports as a private-vlan
promiscuous port:
-
Type configure terminal and press
Enter to enter the switch configuration mode.
switch#configure terminal
switch(config)#
-
Type interface interface-id and press
Enter to enter interface configuration mode for the Layer 2
interface to be configured.
switch(config)#interface fastEthernet 0/7
switch(config-if)#
-
Type switchport mode private-vlan promiscuous and
press Enter to configure the Layer 2 port as a private-VLAN
promiscuous port.
switch(config-if)#switchport mode private-vlan promiscuous
switch(config-if)#
-
Type switchport private-vlan mapping primary_vlan_id add
secondary_vlan_id_list and press Enter. In this step
the mapping is done between the primary-vlan 50 and the secondary VLANs 100 and
101.
switch(config-if)#switchport private-vlan mapping 50 add 100,101
-
Type end and press Enter to exit
VLAN configuration mode.
switch(config-if)#end
switch#
-
Type show interfaces [interface-id] switchport to
verify the configuration of promiscuous port.
switch#show interfaces fastethernet0/20 switchportName:Fa0/7
Switchport:Enabled
Administrative Mode:private-vlan promiscuous
Operational Mode:private-vlan promiscuous
Administrative Trunking Encapsulation:negotiate
Negotiation of Trunking:Off
Access Mode VLAN:1 (default)
Trunking Native Mode VLAN:1 (default)
Administrative Native VLAN tagging:enabled
Voice VLAN:none
Administrative private-vlan host-association:none
Administrative private-vlan mapping:50 (primary-vlan) 100 (isolated-vlan) 101 (community-vlan)
Administrative private-vlan trunk native VLAN:none
Administrative private-vlan trunk Native VLAN tagging:enabled
Administrative private-vlan trunk encapsulation:dot1q
Administrative private-vlan trunk normal VLANs:none
Administrative private-vlan trunk associations:none
Administrative private-vlan trunk mappings:none
Operational private-vlan:50 (VLAN0050) 100 (VLAN0100) 101 (VLAN0101)
Trunking VLANs Enabled:ALL
Pruning VLANs Enabled:2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
-
Type show vlan private-vlan and press
Enter to verify the primary and secondary VLANs and
private-VLAN ports configured on the switch.
switch#show vlan private-vlan
Primary Secondary Type Ports
------- --------- -------------- ---------------------
50 100 isolated Fa0/7, Fa0/20
50 101 community Fa0/7, Fa0/15, Fa0/16
-
Type write memory and press Enter
to save your configuration in the switch startup configuration file.
switch#write memory
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface
If the private VLAN needs to be used for inter-VLAN routing, you
configure a Switched Virtual Interface (SVI) for the primary VLAN and map
secondary VLANs to the SVI. If you only need to enable Layer 2 connectivity,
you can omit this phase.
Follow these steps to map secondary VLANs to the SVI of a primary VLAN
to allow Layer 3 switching of private-VLAN traffic:
-
Type configure terminal and press
Enter to enter the switch configuration mode.
switch#configure terminal
switch(config)#
-
Type interface vlan primary_vlan_id and press
Enter
switch(config)#interface vlan 50
-
Configure an IP address to the primary VLAN if you have not
configured previously. Type ip address ip_address subnet_mask
and press Enter.
switch(config-vlan)#ip address 192.168.18.1 255.255.255.0
-
Type private-vlan mapping secondary_vlan-id_list
and press Enter to Map the secondary VLANs that you want to
route with the primary VLAN
switch(config-vlan)#private-vlan mapping 100,101
-
Type end and press Enter to exit
VLAN interface configuration mode.
switch(config-vlan)#end
switch#
Note: The private-vlan mapping interface configuration
command only affects private-VLAN traffic that is switched through Layer
3.
-
Type show interface private-vlan mapping to verify
the configuration.
switch#show interface private-vlan mapping
Interface Secondary VLAN Type
------- -------------- -----------------
vlan50 100 isolated
vlan50 101 community
-
.Type write memory and press
Enter to save your configuration in the switch startup
configuration file.
switch#write memory
Back to Top
Next Step
You have completed this procedure.
To make further changes to your switch, refer to the
Switch
Support Page.
To configure other devices in your network, refer to the
Configuration
Overview Page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Problem
|
Cause(s) and Suggested Solution(s)
|
The switch boots and displays several error messages but does
not display a prompt in HyperTerminal.
|
Press Enter to clear the output and display the switch
prompt.
For further assistance, contact the
SMB
Technical Assistance Center (SMB TAC).
|
Back to Top
Related Information
