7.15. Configuring Private-vlan

Overview

Function Introduction

Private-vlan a security feature which is used to prevent from direct l2 communication among a set of ports in a vlan.

It can provide a safer and more flexible network solutions by isolating the ports which in the same VLAN.

Principle Description

N/A

Configuration

image

Fig. 7.15 Private VLAN

As the figure above shows:

  • All ports are in a same primary vlan.

  • Port 1 is promiscuous port; it can communicate with all other ports.

  • Port 2 is isolate port; it cannot communicate with all other ports except for the promiscuous port (port 1).

  • Port 3 and port 4 are community ports in secondary vlan 2; they can communicate with each other. They cannot communicate with all other ports except for the promiscuous port.

  • Port 5 and port6 are community ports in secondary vlan 3; they can communicate with each other. They cannot communicate with all other ports except for the promiscuous port.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Enter the vlan configure mode and create vlan

Switch(config)# vlan database
Switch(config-vlan)# vlan 2
Switch(config-vlan)# quit

step 3 Enter the interface configure mode and set the attributes

Promiscuous port promiscuous port in pvlan can communicate with any other ports in this pvlan

Switch(config)# interface eth-0-1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan 2
Switch(config-if)# quit

Isolate port isolate port in pvlan can only communicate with promiscuous port in this pvlan

Switch(config)# interface eth-0-2
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan 2 isolate
Switch(config-if)# quit

Community port community port in pvlan can communicate with promiscuous port and community ports with same community-vlan id in this pvlan

Switch(config)# interface eth-0-3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan 2 community-vlan 2
Switch(config-if)# quit
Switch(config)# interface eth-0-4
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan 2 community-vlan 2
Switch(config-if)# quit
Switch(config)# interface eth-0-5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan 2 community-vlan 3
Switch(config-if)# quit
Switch(config)# interface eth-0-6
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan 2 community-vlan 3
Switch(config-if)# quit

step 4 Exit the configure mode

Switch(config)# exit

step 5 Validation

The result of show private-vlan is as follows

Switch# show private-vlan
Primary Secondary Type Ports
 -----------------------------------------------------
2 N/A promiscuous eth-0-1
2 N/A isloate eth-0-2
2 2 community eth-0-3 eth-0-4
2 3 community eth-0-5 eth-0-6

Application cases

N/A