Cisco WS-C4003 - Catalyst 4000 Chassis Switch Software Configuration Manual page 170

Configuring Private VLANs
There are three types of private VLAN ports: promiscuous, isolated, and community.
• A promiscuous port communicates with all other private VLAN ports and is the port you use to
communicate with routers, LocalDirector, the CSS11000, backup servers, and administrative
workstations.
• An isolated port has complete Layer 2 separation, including broadcasts, from other ports within the
same private VLAN with the exception of the promiscuous port.
Community ports communicate among themselves and with their promiscuous ports. These ports are
•
isolated at Layer 2 from all other ports in other communities or isolated ports within their private
VLAN. Broadcasts propagate only between associated community ports and the promiscuous port.
Privacy is granted at the Layer 2 level by blocking outgoing traffic to all isolated ports. All isolated ports
are assigned to an isolated VLAN where this hardware function occurs. Traffic received from an isolated
port is forwarded to all promiscuous ports only.
Within a private VLAN are three distinct classifications of VLANs: a single primary VLAN, a single
isolated VLAN, and a series of community VLANs.
You must define each supporting VLAN within a private VLAN structure before you can configure the
private VLAN:
Primary VLAN—Conveys incoming traffic from the promiscuous port to all other promiscuous,
•
isolated, and community ports.
Isolated VLAN—Used by isolated ports to communicate to the promiscuous ports. The traffic from
•
an isolated port is blocked on all adjacent ports and can only be received by promiscuous ports.
Community VLAN—Used by a group of community ports to communicate among themselves and
•
transmit traffic to outside the group via the designated promiscuous port.
To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one
VLAN is designated as a primary VLAN, a second VLAN is designated as either an isolated VLAN,
community VLAN, or two-way community VLAN. You can designate additional VLANs as seperate
isolated, community, or two-way community VLANs in this private VLAN. After designating the
VLANs, you must bind them together and associate them to the promiscuous port.
You can extend private VLANs across multiple Ethernet switches by trunking the primary, isolated, and
any community VLANs to other switches that support private VLANs.
In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to
each individual or common group of stations. The servers only require the ability to communicate with
a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations,
regardless of ownership, into one private VLAN, you can:
Designate the server ports as isolated to prevent any interserver communication at Layer 2.
•
Designate as promiscuous the ports to which the default gateway(s), backup server, or LocalDirector
•
are attached, to allow all stations to have access to these gateways.
Reduce VLAN consumption. You only need to allocate one IP subnet to the entire group of stations,
•
because all stations reside in one common private VLAN.
Conserve Public Address Space. Servers are now isolated from one another using private VLANs.
•
This eliminates the necessity of creating multiple IP subnets, which wastes public IP addresses on
multiple subnet and broadcast addresses. As a result all servers can be members of the same IP
subnet, but remain isolated from on another.
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
10-8
Chapter 10 Configuring VLANs
78-12647-02