Configuring a Private Vlan | Cisco Systems N3KC3048TP1GE instruction

Configuring Private VLANs

Guidelines and Limitations for Private VLANs

•Configure selected interfaces connected to end stations as isolated ports to prevent any communication. For example, if the end stations are servers, this configuration prevents communication between the servers.

•Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

Guidelines and Limitations for Private VLANs

When configuring PVLANs, follow these guidelines:

•You must have already created the VLAN before you can assign the specified VLAN as a private VLAN.

•You must enable PVLANs before the switch can apply the PVLAN functionality.

•You cannot disable PVLANs if the switch has any operational ports in a PVLAN mode.

•Enter the private-vlan synchronize command from within the Multiple Spanning Tree (MST) region definition to map the secondary VLANs to the same MST instance as the primary VLAN.

Configuring a Private VLAN

Enabling Private VLANs

You must enable PVLANs on the switch to use the PVLAN functionality.

Note The PVLAN commands do not appear until you enable the PVLAN feature.

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters configuration mode.
Step 2	switch(config)# feature private-vlan	Enables the PVLAN feature on the switch.
Step 3	switch(config)# no feature	(Optional)
	private-vlan	Disables the PVLAN feature on the switch.
		Note	You cannot disable PVLANs if there are
			operational ports on the switch that are in
			PVLAN mode.

This example shows how to enable the PVLAN feature on the switch:

switch# configure terminal switch(config)# feature private-vlan

	Cisco Nexus 3000 NX-OS Layer 2 Switching Configuration Guide, Release 5.0(3)U3(1)
42	OL-26590-01

Image 56

Cisco Systems N3KC3048TP1GE manual Guidelines and Limitations for Private VLANs, Configuring a Private Vlan, Private-vlan

Contents

Americas Headquarters First Published February 29 Last Modified March 22Page N T E N T S Configuring VLANs Configuring Private VLANs Configuring Rapid PVST+ Configuring Multiple Spanning Tree Configuring the Port Priority Configuring Lldp Configuring Igmp Snooping Preface AudienceDocument Conventions Convention Description Italic screen font Installation and Upgrade Guides Configuration GuidesError and System Messages Release Notes Obtaining Documentation and Submitting a Service Request Feature Description Added or Switching mode. There are two switchingNew and Changed Information for this Release Changed Release OL-26590-01 Layer 2 Ethernet Switching Overview OverviewVLANs This chapter contains the following sections STP Overview Private VLANsSpanning Tree Rapid PVST+ STP Extensions Overview STP Extensions Information About Ethernet Interfaces Configuring Ethernet InterfacesAbout the Interface Command About the Unidirectional Link Detection Parameter Default Udld Configuration Following table shows the default Udld configurationFeature Udld Aggressive and Nonaggressive Modes About the Error-Disabled State Default CDP ConfigurationFollowing table shows the default CDP configuration About Interface Speed Configuring Ethernet Interfaces About the Debounce Timer ParametersAbout MTU Configuration About Port Profiles Configuring the Udld Mode Command or Action Purpose StepSwitch# configure terminal Aggressive Changing an Interface Port Mode Command or ActionRunning-config bootflash Running-config startup-config Transceiver inserted into it Configuring Interface SpeedSlot /port Command or Action Purpose Disabling Link Negotiation Configuring the CDP Characteristics Advertise v1Device-id mac-address Serial-number system-name Enabling or Disabling CDP Seconds Enabling the Error-Disabled Detection Example Enabling the Error-Disabled Recovery Configuring the Error-Disabled Recovery IntervalConfig t Enters configuration mode Copy running-config startup-config Configuring the Debounce Timer Configuring the Description ParameterErrdisable recovery interval interval Show interface status err-disabled Disabling and Restarting Ethernet Interfaces Switchconfig-if# shutdown Disables the interfaceDisplaying Interface Information Command Purpose Following example shows how to display the CDP neighbors Displaying Input Packet Discard Information Default Physical Ethernet Settings Parameter Default SettingPage OL-26590-01 Understanding VLANs Configuring VLANsInformation About VLANs Vlan Ranges VLANs as Logically Defined Networks Creating, Deleting, and Modifying VLANs VLANs Numbers Range Usage Configuring a Vlan About the Vlan Trunking ProtocolCreating and Deleting a Vlan Guidelines and Limitations for VTP Vlan vlan-id vlan-range Configuring a VlanVlan-id vlan-range Active suspend Switchconfig# interface ethernetAdding Ports to a Vlan Configuring a Vlan as a Routed SVI Switchconfig-if# switchport access vlanConfigure terminal Enters global configuration mode Feature interface-vlan Enables the creation of SVIs You can configure routing protocols on this interface Configuring a Vlan as a Management SVIConfiguring VTP Vtp password Show vtp passwordCopy running-config Startup-config Verifying Vlan Configuration Switch# show running-config vlan vlanid vlanrangeSwitch# show vlan brief id vlanid vlanrange name name Summary Configuring Private VLANs Information About Private VLANs Three types of Pvlan ports are as follows Primary and Secondary VLANs in Private VLANsPrivate Vlan Ports Primary, Isolated, and Community Private VLANs Associating Primary and Secondary VLANs Private Vlan Traffic Flows Private Vlan Promiscuous Trunks Private Vlan Isolated TrunksBroadcast Traffic in Private VLANs Private Vlan Port Isolation Configuring a Private Vlan Switchconfig# feature private-vlanGuidelines and Limitations for Private VLANs Enabling Private VLANs Community isolated primary Configuring a Vlan as a Private VlanAssociating Secondary VLANs with a Primary Private Vlan Association Association add secondary-vlan-listRemove secondary-vlan-list Configuring an Interface as a Private Vlan Host Port Configuring an Interface as a Private Vlan Promiscuous Port Configuring the Allowed VLANs for Pvlan Trunking Ports Configuring a Promiscuous Trunk PortConfiguring an Isolated Trunk Port Verifying the Private Vlan Configuration Configuring Native 802.1Q VLANs on Private VLANsSwitch# show feature Switch# show interface switchport OL-26590-01 Understanding Access and Trunk Interfaces Configuring Access and Trunk InterfacesInformation About Access and Trunk Interfaces Understanding Ieee 802.1Q Encapsulation Devices in a Trunking Environment Understanding Access VLANs Header without and with 802.1Q Tag Included Understanding Native 802.1Q VLANs Understanding the Native Vlan ID for Trunk PortsUnderstanding Allowed VLANs Configuring Access and Trunk Interfaces Configuring a LAN Interface as an Ethernet Access Port Configuring Access Host Ports Configuring Trunk PortsSwitchconfig-if# switchport host On bpdu filtering and bpdu guard Configuring the Native Vlan for 802.1Q Trunking Ports Configuring the Allowed VLANs for Trunking PortsSpecified trunk, use the switchport trunk allowed vlan Port-channel number Configuring Native 802.1Q VLANs Switch# configure terminal Enters configuration mode Verifying Interface Configuration Switchconfig# no vlan dot1q tagSwitch# show vlan dot1q tag native Switch# show interface OL-26590-01 Configuring Switching Modes Information About Switching ModesCut-Through Switching Mode Store-and-Forward Switching Mode Guidelines and Limitations for Switching Modes Licensing Requirements for Switching ModesCut-Through Switching Mode Guidelines and Limitations Store-and-Forward Switching Mode Guidelines and Limitations Default Settings for Switching Modes Configuring Switching ModesEnabling Store-and-Forward Switching Reenabling Cut-Through Switching Feature History for Switching Modes Saves the change persistently through rebootsThis example shows how to reenable cut-through switching Feature Name Releases Information Configuring Rapid PVST+ Information About Rapid PVST+Understanding STP STP Overview Understanding How a Topology is Created Understanding the Bridge ID Bit extended system ID field is part of the bridge ID Bridge Priority ValueBit 8192 4096 2048 1024 512 256 128 Understanding BPDUs Election of the Root Bridge Creating the Spanning Tree Topology Understanding Rapid PVST+ Rapid PVST+ Overview Rapid PVST+ BPDUs Rapid PVST+ Flag Byte in Bpdu Proposal and Agreement Handshake Proposal and Agreement Handshaking for Rapid Convergence Variable Description Protocol TimersPort Roles Port States Rapid PVST+ Port State Overview Blocking State Enabled Blocking Learning Yes Forwarding Disabled Synchronization of Port RolesOperational Status Port State Topology? Processing Superior Bpdu Information Spanning-Tree Dispute Mechanism Port Cost Rapid PVST+ and Ieee 802.1Q Trunks Rapid PVST+ Interoperation with Legacy 802.1D STPPort Priority Bandwidth Enabling Rapid PVST+ Configuring Rapid PVST+Rapid PVST+ Interoperation with 802.1s MST Mode rapid-pvst Switch# configureEnabling Rapid PVST+ per Vlan Terminal Configuring the Root Bridge ID Configuring a Secondary Root Bridge Spanning-tree mst max-ageconfiguration commands Configuring the Rapid PVST+ Port Priority Vlan vlan-list port-priority priority Configuring the Rapid PVST+ Pathcost Method and Port Cost Configuring the Rapid PVST+ Bridge Priority of a VlanPathcost method long short Vlan vlan-id cost value auto Vlan-range hello-time hello-time Configuring the Rapid PVST+ Hello Time for a VlanSwitchconfig# spanning-tree vlan Configuring the Rapid PVST+ Forward Delay Time for a Vlan Configuring the Rapid PVST+ Maximum Age Time for a VlanSpecifying the Link Type Vlan-range forward-time forward-time Verifying Rapid PVST+ Configurations Switch# clear spanning-tree detected-protocolSwitch# show running-config spanning-tree all Restarting the Protocol This example shows how to display spanning tree status Switch# show spanning-tree optionsSpanning tree configuration OL-26590-01 MST Overview Configuring Multiple Spanning TreeInformation About MST MST Regions MST BPDUs IST, CIST, and CST Overview MST Configuration InformationIST, CIST, and CST Spanning Tree Operation Within an MST Region Spanning Tree Operations Between MST Regions MST Terminology MST Regions, Cist Regional Roots, and CST Root Hop Count Boundary Ports Spanning-Tree Dispute Mechanism MST Boundary Ports Port Cost and Port Priority Interoperability with Ieee 802.1D Configuring MST MST Configuration GuidelinesYou must enable MST Rapid PVST+ is the default Enabling MST Entering MST Configuration Mode Switchconfig# spanning-tree mode mstSwitchconfig# no spanning-tree mode mst Mst configuration Spanning-tree mst Switchconfig# spanning-tree mstSpecifying the MST Name Instance-id vlan vlan-range Specifying the MST Configuration Revision NumberSpecifying the Configuration on an MST Region Name Version Mapping and Unmapping VLANs to MST Instances Default MSTI, which is the CistThis example shows how to map Vlan 200 to Msti Configuring the Root Bridge SynchronizeSame Msti and their associated primary Vlan For all private VLANs 104 Mst instance-id root Configuring the Port PrioritySwitchconfig# no spanning-tree Optional Configuring the Port Cost Configuring the Switch Priority Hello-time seconds Configuring the Hello TimeConfigures the hello time for all MST instances. The hello Switch is alive. For seconds, the range is from 1 to 10, Configuring the Forwarding-Delay TimeConfiguring the Maximum-Aging Time Configuring the Maximum-Hop Count Configuring Pvst Simulation GloballyMst max-age seconds Max-hops hop-count Configuring Pvst Simulation Per Port Switchconfig-if#spanning-tree mst simulate pvst disable Verifying MST Configurations Restarts MST on entire switch orCommand Specified interfaces Configuring STP Extensions About STP ExtensionsInformation About STP Extensions Understanding STP Port Types Understanding Bridge Assurance Understanding Bpdu Guard Is disabled Default Enable Disable Enabled/DisabledUnderstanding Bpdu Filtering Port returns to Understanding Loop Guard Understanding Root Guard Configuring Spanning Tree Port Types Globally Configuring STP ExtensionsSTP Extensions Configuration Guidelines Port type edge default Port type network default Switchconfig# interface type Switchconfig-if# spanning-treePort type edge Edge ports. Edge ports immediately transition to Port type network Ports. If you enable Bridge Assurance, it automaticallyEnabling Bpdu Guard Globally Enabling Bpdu Guard on Specified Interfaces Switchconfig-if# no spanning-tree bpduguard Enables Bpdu Filtering by default on allEdge bpdufilter default Filtering is disabled by default Bpdufilter Bpdufilter enable disableEnabling Bpdu Filtering on Specified Interfaces Loopguard default Normal and network ports. By default, global LoopGuard is disabled Enabling Loop Guard Globally Verifying STP Extension Configuration Guard loop root none 126 Configuring Lldp Configuring Global Lldp Commands Optionalswitch# show lldp Displays Lldp configurations Ensure that the Lldp feature is enabled on the switchHoldtime reinit timer Configuring Interface Lldp Commands Transmit This example shows how to display Lldp timer information This example shows how to display Lldp counters Configuring the MAC Address Table Configuring MAC AddressesConfiguring a Static MAC Address Information About MAC Addresses Configuring the Aging Time for the MAC Table Switchconfig-# no mac-address-table staticSwitch# configure terminal Enters global configuration mode Macaddress vlan vlan-id Verifying the MAC Address Configuration Switchconfig# clear mac-address-table dynamicSwitch# show mac-address-table aging-time Defined in the switch This example shows how to display the MAC address table This example shows how to display the current aging time Configuring Igmp Snooping Information About Igmp Snooping Igmp Snooping Switch IGMPv1 and IGMPv2 Igmp Forwarding IGMPv3Igmp Snooping Querier Configuring Igmp Snooping Parameters Parameter Description Snooping No ip igmp snooping mrouter vpc-peer-linkNo ip igmp snooping mrouter Snooping explicit-tracking Snooping fast-leaveLast-member-query-interval Snooping querier IP-address Verifying Igmp Snooping Configuration 141 142 Configuring Traffic Storm Control Information About Traffic Storm Control Traffic Storm Guidelines and Limitations Broadcast Suppression Configuring Traffic Storm Control Switchconfig-if# storm-control broadcastConfigures traffic storm control for traffic On the interface. The default state is Traffic Storm Control Example Configuration Default Traffic Storm SettingsVerifying Traffic Storm Control Configuration Parameters Default D E Mstp Cist root 93 CIST, described 91 CST 91 Rstp 68, 71, 75, 89 active topology 71 Bpdu Adding ports to Private Configuring VLANs