Table of Contents
Advertisement
Chapter 11
Configuring VLANs
In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to
each individual or common group of stations. The servers only require the ability to communicate with
a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations,
regardless of ownership, into one private VLAN, you can do the following:
•
•
•
On an MSFC port or a nontrunk promiscuous port, you can remap as many isolated or community
VLANs as desired; however, while a nontrunk promiscuous port can remap to only one primary VLAN,
an MSFC port does not have this limitation. An MSFC port can only connect an MSFC router. With a
nontrunk promiscuous port, you can connect a wide range of devices as "access points" to a private
VLAN. For example, you can connect a nontrunk promiscuous port to the "server port" of a
LocalDirector to remap a number of isolated or community VLANs to the server VLAN so that the
LocalDirector can load balance the servers present in the isolated or community VLANs, or you can use
a nontrunk promiscuous port to monitor and/or back up all the private VLAN servers from an
administration workstation.
A two-way community VLAN can only be mapped on the MSFC promiscuous port (it cannot be
Note
mapped on nontrunk or other types of promiscuous ports).
Private VLAN Configuration Guidelines
Follow these guidelines to configure private VLANs:
Note
In this section, the term community VLAN is used for both unidirectional community VLANs and
two-way community VLANs unless specifically differentiated.
•
•
•
•
•
•
78-13315-02
Designate the server ports as isolated to prevent any interserver communication at Layer 2.
Designate the ports to which the default gateway(s), backup server, or LocalDirector are attached as
promiscuous to allow all stations to have access to these gateways.
Reduce VLAN consumption. You only need to allocate one IP subnet to the entire group of stations
because all stations reside in one common private VLAN.
Designate one VLAN as the primary VLAN.
You have the option of designating one VLAN as an isolated VLAN, but you can only use one
isolated VLAN.
You have the option of using private VLAN communities, you need to designate a community
VLAN for each community.
Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or
community ports. You will achieve these results:
Isolated/community VLAN spanning tree properties are set to those of the primary VLAN.
–
VLAN membership becomes static.
–
Access ports become host ports.
–
BPDU guard protection is activated.
–
Set up the automatic VLAN translation that maps the isolated and community VLANs to the primary
VLAN on the promiscuous port(s). Set the nontrunk ports or the MSFC ports as promiscuous ports.
You must set VTP to transparent mode.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
Configuring Private VLANs
11-15
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
