Table of Contents
Advertisement
Configuring Private VLANs on the Switch
Understanding How Private VLANs Work
The private VLANs provide the Layer-2 isolation between the ports within the same private VLAN on
the Catalyst 6500 series switches. The ports that belong to a private VLAN are associated with a
common set of supporting VLANs that are used to create the private VLAN structure.
The three types of private VLAN ports are as follows:
•
•
•
Privacy is granted at Layer 2 by blocking the outgoing traffic to all isolated ports. All isolated ports are
assigned to an isolated VLAN where this hardware function occurs. The traffic that is received from an
isolated port is forwarded to all promiscuous ports only.
A private VLAN has four distinct classifications: a single primary VLAN, a single isolated VLAN, and
a series of community or two-way community VLANs.
You must define each supporting VLAN within a private VLAN structure before you can configure the
private VLAN:
•
•
•
•
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
11-20
Promiscuous—This port communicates with all other private VLAN ports and is the port that you
use to communicate with routers, LocalDirector, backup servers, and administrative workstations.
If a broadcast or multicast packet comes from the promiscuous port, it is sent to all the ports
Note
in the private VLAN domain, that is, to all the community and isolated ports.
Isolated—This port has complete Layer 2 separation from the other ports within the same private
VLAN with the exception of the promiscuous port.
Community—These ports communicate among themselves and with their promiscuous ports. These
ports are isolated at Layer 2 from all other ports in other communities or isolated ports within their
private VLAN.
Primary VLAN—Conveys the incoming traffic from the promiscuous port to all other promiscuous,
isolated, community, and two-way community ports.
Isolated VLAN—Used by the isolated ports to communicate to the promiscuous ports. The traffic
from an isolated port is blocked on all adjacent ports within its private VLAN and can only be
received by its promiscuous ports.
Community VLAN—A unidirectional VLAN that is used by a group of community ports to
communicate among themselves and transmit the traffic to outside the private VLAN through the
designated promiscuous port.
Two-way community VLAN—A bidirectional VLAN that is used by a group of community ports to
communicate among themselves and to and from the community ports from and to the Multilayer
Switch Feature Card (MSFC).
With software release 6.2(1) and later releases, you can use the two-way community VLANs
Note
to perform an inverse mapping from the primary VLAN to the secondary VLAN when the
traffic crosses the boundary of a private VLAN through an MSFC promiscuous port. Both
the outbound and inbound traffic can be carried on the same VLAN allowing the
VLAN-based features such as the VLAN access control lists (VACLs) to be applied in both
directions on a per-community (per-customer) basis.
Chapter 11
Configuring VLANs
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
