Configuration Summary
1. Determine which switch ports (interfaces) to use for the private hosts feature. You can configure the feature on trunking switch ports or port-channel interfaces. Private hosts must be enabled on the port-channel interface; you cannot enable the feature on member ports.
2. Configure each port (interface) for normal, non-private hosts service. Configure the access group mode of the port as prefer port mode. You can configure the VLANs at this step or later.
3. Determine which VLAN or set of VLANs will be used to deliver broadband services to end users. The private hosts feature will provide Layer 2 isolation among the hosts in these VLANs.
4. Identify the MAC addresses of all of the BRASs and multicast servers that are being used to provide broadband services to end users (isolated hosts).
Note If a server is not connected directly to the switch, determine the MAC address of the core network device that provides access to the server.
5. (Optional) If you plan to offer different types of broadband service to different sets of isolated hosts, create multiple MAC and VLAN lists.
- Each MAC address list identifies a server or set of servers providing a particular type of service.
- Each VLAN list identifies the isolated hosts to deliver that service to.
6. Configure promiscuous ports and specify a MAC and VLAN list to identify the server and receiving hosts for a particular type of service.
Note You can specify multiple MAC and VLAN combinations to allow different types of services to be delivered to different sets of hosts. For example, the BRAS at xxxx.xxxx.xxxx could be used to deliver a basic set of services over VLANs 20, 25, and 30, and the BRAS at yyyy.yyyy.yyyy could be used to deliver a premium set of services over VLANs 5, 10, and 15.
7. Globally enable private hosts.
8. Enable private hosts on individual ports (interfaces) and specify the mode in which the port is to operate. To determine port mode, you need to know if the port faces upstream (toward content servers or core network), faces downstream (toward DSLAM and isolated hosts), or is connected to another switch (typically, in a ring topology). See the “Restricting Traffic Flow (Using Private Hosts Port Mode and PACLs)” section.
After you enable the feature on individual ports, the switch is ready to run the private hosts feature. The private hosts software uses the MAC and VLAN lists you defined to create the isolated, promiscuous, and mixed-mode PACLs for your configuration. The software then applies the appropriate PACL to each private hosts port based on the port’s mode.
Configuration Examples
The following example creates a MAC address list and a VLAN list and isolates the hosts in VLANs 10, 12, 15, and 200 through 300. The BRAS-facing port is made promiscuous and two host-connected ports are made isolated:
Router# configure terminal
Router(config)# private-hosts mac-list BRAS_list 0000.1111.1111 remark BRAS_SanJose
Router(config)# private-hosts vlan-list 10,12,15,200-300
Router(config)# private-hosts promiscuous BRAS_list vlan-list 10,12,15,200-300
Router(config)# private-hosts
Router(config)# interface gig 4/2
Router(config-if)# private-hosts mode promiscuous
Router(config)# interface gig 5/2
Router(config-if)# private-hosts mode isolated
Router(config)# interface gig 5/3
Router(config-if)# private-hosts mode isolated
The following example shows the interface configuration of a private hosts isolated port:
Router# show run interface gig 5/2
Building configuration...
Current configuration : 200 bytes
interface GigabitEthernet5/2
switchport trunk encapsulation dot1q
access-group mode prefer port
private-hosts mode isolated
The following example shows the interface configuration of a private hosts promiscuous port:
Router# show run interface gig 4/2
Building configuration...
Current configuration : 189 bytes
interface GigabitEthernet4/2
switchport access vlan 200
private-hosts mode promiscuous
private-hosts vlan-list 200
private-hosts promiscuous bras-list
private-hosts mac-list bras-list 0000.1111.1111 remark BRAS-SERVER
Tip For additional information about Cisco Catalyst 6500 Series Switches (including configuration examples and troubleshooting information), see the documents listed on this page:
http://www.cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html
Participate in the Technical Documentation Ideas forum