AI, ML, Development + Cisco Learning Blog Learning about Machine Learning, Artificial Intelligence, related devlopment topics and formerly Routing and Switching, Datacenter, Security and other topics, CCIE #23664, Frank Wagner

11. Januar 2007

private-vlans 3560

Filed under: Bridging + Switching — ocsic @ 14:25

The main new feature introduced with 3560 catalyst switches is the private vlan feature.

It’s not that complicated as it seems to be.

Basically it a „switchport protected“ bound to vlan’s over trunk ports. It’s also similar like an RSPAN session, which is SPAN over differens switches.
So if you configure two ports as switchport protected in the same vlan on the same switch, they are not able to communicate with each other.

vlan 28

int f0/2

switchport access vl 28

switchport protected

int f0/3

switchport access vl 28

switchport protected

Now these ports are not able to communicate with each other.

This feature does not work, if ports are seperated over a trunk. At this points private vlan’s come into play.

You can define a private vlan and add isolated ports to this vlan, similiar as protected ports on the same switch. These isolated ports are also not able to communicate with each other. Vtp mode has to be in transparent mode and vlan assignments have to be made on both switches.
vtp mode transpartent

vlan 28

private-vlan primary
private-vlan association 281

vlan 281
private-vlan isolated

This defines the primary vlan and the vlan 281 where later isolated hoste are added.

Adding hosts looks like this:

inf f0/7

switchport private-vlan host-association 28 281
switchport mode private-vlan host

This adds an interface as an isolated port to the primary vlan 28.

You can now define a promiscuous port in vlan 28, which is able to communicate with these isolated ports.

f0/8

switchport private-vlan mapping 28 281
switchport mode private-vlan promiscuous

This promiscuous port will be able to communicate also with the SVI of the vlan, if there is any.

The communties are private-vlans inside a vlan, which build groups of ports that are able to communicate with each other only inside this private-vlan community. Different communities inside a vlan are also not able to talk to each other. There is no limitation for promisucous ports.
Source:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm

Keine Kommentare »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress