Configuring Private Vlans on a Catalyst Switch that runs Catalyst OS Software
|
|
|
|
Introduction
A PVLAN is a VLAN with configuration for Layer 2 isolation from other
ports within the same broadcast domain or IP subnet. You can assign a specific
set of ports within a PVLAN and thereby control access among the ports at Layer
2.
This document describes the procedure to configure Private VLANs on
your Catalyst switch. This document applies to Catalyst 4500 series switches
that run Catalyst OS (Cat OS) Software.
Back to Top
Overview
In some situations, you need to prevent Layer 2 (L2) connectivity
between end devices on a switch without placing the devices in different IP
subnets. This setup prevents the wastage of IP addresses. Private VLANs
(PVLANs), allow the isolation at Layer 2 of the device in the same IP subnet.
You can also restrict some ports on the switch to reach only specific ports
that have a default gateway, backup server, or Cisco LocalDirector attached.
Private VLANs partition a regular VLAN domain into subdomains and can have
multiple VLAN pairs one for each subdomain. A subdomain is represented by a
primary VLAN and a secondary VLAN. Isolated and community VLANs are both
secondary VLANs.
There are three types of PVLAN ports: promiscuous, isolated, and
community.
-
Promiscuous—A promiscuous port belongs to the primary VLAN and can
communicate with all interfaces, including the community and isolated host
ports that belong to the secondary VLANs associated with the primary VLAN. The
promiscuous port is the port that you typically use to communicate with
external routers, LocalDirectors, network management devices, backup servers,
administrative workstations, and other devices.
-
Isolated—An isolated port is a host port that belongs to an isolated
secondary VLAN. It has complete Layer 2 separation from other ports within the
same private VLAN, except for the promiscuous ports. Private VLANs block all
traffic to isolated ports except traffic from promiscuous ports. Traffic
received from an isolated port is forwarded only to promiscuous ports.
-
Community—A community port is a host port that belongs to a
community secondary VLAN. Community ports communicate with other ports in the
same community VLAN and with promiscuous ports. These interfaces are isolated
at Layer 2 from all other interfaces in other communities and from isolated
ports within their private VLAN.
Back to Top
Requirements
To perform the steps described in this document, you need to have this
equipment:
Back to Top
Rules and Limitations
This section provides some rules and limitations for which you must
observe when you implement PVLANs.
-
PVLANs must not include VLANs 1 or 1002–1005.
-
You must set VLAN Trunk Protocol (VTP) mode to
transparent.
-
A primary VLAN can have one isolated VLAN and multiple community
VLANs associated with it. An isolated or community VLAN can have only one
primary VLAN associated with it.
-
You can only designate a VLAN as a PVLAN if that VLAN has no current
access port assignments. Remove any ports in that VLAN before you make the VLAN
a PVLAN.
-
You must manually enter the same PVLAN configuration on every switch
with involvement because VTP in transparent mode does not propagate this
information.
-
Do not configure PVLAN ports as EtherChannels.
-
If you delete a VLAN that you use in the PVLAN configuration, the
ports that associate with the VLAN become inactive.
-
Configure Layer 3 (L3) VLAN interfaces only for the primary VLANs.
VLAN interfaces for isolated and community VLANs are inactive while the VLAN
has an isolated or community VLAN configuration.
-
You can extend PVLANs across switches with the use of trunks.
Note: You must manually enter the same PVLAN configuration on every
switch with involvement because VTP in transparent mode does not propagate this
information.
Back to Top
Connect your PC to the Switch
Follow these steps to connect your PC to the Switch:
-
Connect a PC to the switch with a console cable.
-
Create a HyperTerminal connection to your switch. For more
information, refer to
Create a
HyperTerminal Connection.
-
Log into the switch with the login and password that you entered in
fields B10 and B11 of the switch Worksheet.
Username:admin
Password:
Note: If you do not know the password for your switch, refer to
Manually
Reset the Password on a Catalyst Switch.
-
Type enable and press Enter to
access the privileged mode. Type the enable password that you entered in field
S5 of the Switch Port Assignment Worksheet.
Switch_CatOS>enable
Enter Password:
Switch_CatOS>(enable)
Back to Top
Network Diagram
This diagram gives you a topology of Private VLAN configuration. The
Catalyst 4500 switch has VLAN 50 designated as Primary VLAN, VLAN 100
designated as Secondary Isolated VLAN and VLAN 101 as Secondary Community VLAN.
Hosts in Isolated VLAN and Community VLAN can communicate with the host on port
Fast Ethernet 0/7 configured as a promiscuous port.
Back to Top
Configure Private VLANs on your Catalyst Switch (Cisco OS)
Follow these steps to configure Private VLANs on you Catalyst switch
which runs Cisco OS software:
Configure Primary, Isolated and Community VLANs
Follow these steps to configure primary, isolated and community
vlans:
-
Type set vtp mode transparent and press
Enter.
Switch_CatOS>(enable)set vtp mode transparent
Switch_CatOS>(enable)
-
Type set vlan primary_vlan_id pvlan-type primary name
primary_vlan and press Enter to create a primary
VLAN.
Switch_CatOS>(enable)set vlan 50 pvlan-type primary name primary-vlan
-
Type set vlan secondary_vlan_id pvlan-type isolated name
isolated_pvlan and press Enter to create a secondary
isolated VLAN.
Switch_CatOS>(enable)set vlan 100 pvlan-type isolated name isolated-pvlan
-
Type set vlan secondary_vlan_id pvlan-type community name
community_pvlan and press Enter to create a secondary
community VLAN.
Switch_CatOS>(enable)set vlan 101 pvlan-type community name community-pvlan
-
Type set pvlan primary_vlan_id secondary_vlan_id
and press Enter to associate or bind the secondary isolated
VLAN with the primary VLAN.
Switch_CatOS>(enable)set pvlan 50 100
Successfully set association between 50 and 100.
Switch_CatOS>(enable)
-
Type set pvlan primary_vlan_id secondary_vlan_id
and press Enter to associate or bind the secondary community
VLAN with the primary VLAN.
Switch_CatOS>(enable)set pvlan 50 101
Successfully set association between 50 and 101.
Switch_CatOS>(enable)
-
Type set pvlan primary_vlan_id secondary_vlan_id
mod/port to configure the isolated host ports on all the appropriate
switches.
Switch_CatOS>(enable)set pvlan 50 100 2/20
Successfully set the following ports to Private Vlan 50,100: 2/20
Note: Type show pvlan capability mod/port command
which indicates if you can make a port a Private VLAN port.
-
Type set pvlan primary_vlan_id secondary_vlan_id
mod/port to configure all the community host ports on all the
appropriate switches. In this example the ports 2/15 and 2/16 are configured as
community host ports.
Switch_CatOS>(enable)set pvlan 50 101 2/15
Successfully set the following ports to Private Vlan 50,101: 2/15
-
Type set pvlan mapping primary_vlan_id secondary_vlan_id
mod/port to configure the promiscuous port on one of the switches. In
this example the mapping is done between primary vlan 50 and secondary isolated
vlan 100.
Switch_CatOS>(enable)set pvlan mapping 50 100 2/7
Successfully set mapping between 50 and 100 on 2/7
-
Type set pvlan mapping primary_vlan_id secondary_vlan_id
mod/port to configure the promiscuous port on one of the switches. In
this example the mapping is done between primary vlan 50 and secondary
community vlan 101.
Switch_CatOS>(enable)set pvlan mapping 50 101 2/7
Successfully set mapping between 50 and 100 on 2/7
-
Type show pvlan and press Enter
to verify the primary and secondary VLANs and private-VLAN ports configured on
the switch.
Switch_CatOS>(enable)show pvlan
Primary Secondary Secondary-Type Ports
------- --------- ---------------- ------------
50 100 isolated 2/20
50 101 community 2/15-16
-
Type show pvlan mapping and press
Enter to verify the mapping.
Switch_CatOS>(enable)show pvlan mapping
Port Primary Secondary
------ ---------- -----------
2/7 50 100-101
Back to Top
Next Step
You have completed this procedure.
To make further changes to your switch, refer to the
Switch
Support Page.
To configure other devices in your network, refer to the
Configuration
Overview Page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Problem
|
Cause(s) and Suggested Solution(s)
|
The switch boots and displays several error messages but does
not display a prompt in HyperTerminal.
|
Press Enter to clear the output and display
the switch prompt.
For further assistance, contact the
SMB
Technical Assistance Center (SMB TAC).
|
Back to Top
Related Information
