12-3
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter12 Configuring Private VLANs Understanding Private VLANs
Isolated—An isolated port is a host port that belongs to an is ola ted seco nda ry V LAN . It has
complete Layer 2 separation from other ports within the same private VLAN, except for the
promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous
ports. Traffic received from an isolated port is forwarded only to promiscuous p orts.
Community—A community port is a host port that belongs to a com mu nity sec ond ary V L AN.
Community ports communicate with other ports in the same community VLAN and with
promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other
communities and from isolated ports within their private VLAN. No more than eight UNIs can be
community ports in the same community VLAN.
Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.
Primary and secondary VLANs have these characteristics:
Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a
member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from
the promiscuous ports to the (isolated and community) host ports an d to ot her prom isc uous por ts.
Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary
VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and
the gateway.
Community VLAN—A community VLAN is a secondary VLAN t hat carries upstream traffic from
the community ports to the promiscuous port gateways and to other host po rts i n the sa me
community. You can configure multiple community VLANs in a private VLAN. Each community
VLAN can include no more than eight UNIs.
Note The switch also supports UNI isolated VLANs and UNI community VLANs. When a VLA N is cr eated,
it is by default a UNI isolated VLAN. Traffic is not switched among UNIs on a switch that belong to a
UNI isolated VLAN. For more information on UNI VLANs, see Chapter11, “Configuring VLANs.”
A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community
VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a
promiscuous port, you can connect a wide range of devices as a cce ss p oint s to a p rivate VLAN. For
example, you can use a promiscuous port to monitor or ba ck up all th e private-VLAN se rver s f rom a n
administration workstation.
In a switched environment, you can assign an indiv idu al private VLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate only with a default
gateway to communicate outside the private VLAN.
You can use private VLANs to control access to end stations in these ways:
Configure selected interfaces connected to end stations as isolated ports to prevent any
communication at Layer 2. For example, if the end stations are servers, this configuration pr events
Layer 2 communication between the servers.
Configure NNIs connected to default gateways and selected end stations (for example, backup
servers) as promiscuous ports to allow all end stations access to a default gateway.
You can extend private VLANs across multiple devices by trunking the primary, isolated, and
community VLANs to other devices that support private VLANs. To maintain the security of your
private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs,
configure private VLANs on all intermediate devices, including devices that have no private-VLAN
ports.