Cisco 4506-E Software Guide - Page 223
Private VLAN Configuration Guidelines
View all Cisco 4506-E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 223 highlights
Chapter 10 Configuring VLANs Configuring Private VLANs Privacy is granted at the Layer 2 level because the switch blocks outgoing traffic to all isolated ports. You assign all isolated ports to an isolated VLAN where this hardware function occurs. Traffic that is received from an isolated port is forwarded to all promiscuous ports only. Within a private VLAN are three distinct classifications of VLANs: a single primary VLAN, a single isolated VLAN, and a series of community VLANs. You must define each supporting VLAN within a private VLAN structure before configuring the private VLAN as follows: • Primary VLAN-Conveys incoming traffic from the promiscuous port to all other promiscuous, isolated, and community ports. • Isolated VLAN-Used by isolated ports to communicate to the promiscuous ports. The traffic from an isolated port is blocked on all adjacent ports and can be received only by promiscuous ports. • Community VLANs-Used by a group of community ports to communicate among themselves and transmit traffic outside the group through the designated promiscuous port. To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range. One VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated VLAN, community VLAN, or two-way community VLAN. You can designate additional VLANs as separate isolated, community, or two-way community VLANs in this private VLAN. After designating the VLANs, you must bind them together and associate them to the promiscuous port. You can extend private VLANs across multiple Ethernet switches by trunking the primary, isolated, and any community VLANs to other switches that support private VLANs. In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to each individual or common group of stations. The servers only require the ability to communicate with a default gateway to gain access to end points outside the VLAN itself. By incorporating these stations, regardless of ownership, into one private VLAN, you can do the following: • Designate the server ports as isolated to prevent any inter-server communication at Layer 2. • Designate as promiscuous the ports to which the default gateway(s), backup server, or LocalDirector are attached, to allow all stations to have access to these gateways. • Reduce VLAN consumption. You need to allocate only one IP subnet to the entire group of stations, because all stations reside in one common private VLAN. • Conserve public address space. Servers are now isolated from one another using private VLANs, which eliminates the need to create multiple IP subnets. Multiple IP subnets waste public IP addresses on multiple subnet and broadcast addresses. As a result, all servers can be members of the same IP subnet, but they remain isolated from one another. Private VLAN Configuration Guidelines This section describes the configuration guidelines for configuring private VLANs: • Designate one VLAN as the primary VLAN. • Designate one VLAN as an isolated VLAN. If you want to use private VLAN communities, you need to designate a community VLAN for each community. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 10-17