Table of Contents
Advertisement
Chapter 10
Configuring VLANs
Privacy is granted at the Layer 2 level because the switch blocks outgoing traffic to all isolated ports.
You assign all isolated ports to an isolated VLAN where this hardware function occurs. Traffic that is
received from an isolated port is forwarded to all promiscuous ports only.
Within a private VLAN are three distinct classifications of VLANs: a single primary VLAN, a single
isolated VLAN, and a series of community VLANs.
You must define each supporting VLAN within a private VLAN structure before configuring the private
VLAN as follows:
•
•
•
To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range. One
VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated VLAN,
community VLAN, or two-way community VLAN. You can designate additional VLANs as separate
isolated, community, or two-way community VLANs in this private VLAN. After designating the
VLANs, you must bind them together and associate them to the promiscuous port.
You can extend private VLANs across multiple Ethernet switches by trunking the primary, isolated, and
any community VLANs to other switches that support private VLANs.
In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to
each individual or common group of stations. The servers only require the ability to communicate with
a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations,
regardless of ownership, into one private VLAN, you can do the following:
•
•
•
•
Private VLAN Configuration Guidelines
This section describes the configuration guidelines for configuring private VLANs:
•
•
78-15486-01
Primary VLAN—Conveys incoming traffic from the promiscuous port to all other promiscuous,
isolated, and community ports.
Isolated VLAN—Used by isolated ports to communicate to the promiscuous ports. The traffic from
an isolated port is blocked on all adjacent ports and can be received only by promiscuous ports.
Community VLANs—Used by a group of community ports to communicate among themselves and
transmit traffic outside the group through the designated promiscuous port.
Designate the server ports as isolated to prevent any inter-server communication at Layer 2.
Designate as promiscuous the ports to which the default gateway(s), backup server, or LocalDirector
are attached, to allow all stations to have access to these gateways.
Reduce VLAN consumption. You need to allocate only one IP subnet to the entire group of stations,
because all stations reside in one common private VLAN.
Conserve public address space. Servers are now isolated from one another using private VLANs,
which eliminates the need to create multiple IP subnets. Multiple IP subnets waste public
IP addresses on multiple subnet and broadcast addresses. As a result, all servers can be members of
the same IP subnet, but they remain isolated from one another.
Designate one VLAN as the primary VLAN.
Designate one VLAN as an isolated VLAN. If you want to use private VLAN communities, you
need to designate a community VLAN for each community.
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide
Configuring Private VLANs
—
Release 8.1
10-17
- Quick Links:
- Configuration Guide
- Catalyst 2980G Switch
Hide quick links:
Advertisement
Table of Contents
