Cisco Systems WSC2960XR48FPSI Private VLANs in Networks

•Promiscuous—Apromiscuous port belongs to the primary VLAN and can communicate with all interfaces,

includingthe community and isolated host ports that belong to the secondary VLANs associated with

theprimary VLAN.

•Isolated—Anisolated port is a host port that belongs to an isolated secondary VLAN. It has complete

Layer2 separation from other ports within the same private VLAN, except for the promiscuous ports.

PrivateVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received

froman isolated port is forwarded only to promiscuous ports.

•Community—Acommunity port is a host port that belongs to a community secondary VLAN. Community

portscommunicate with other ports in the same community VLAN and with promiscuous ports. These

interfacesare isolated at Layer 2 fromall other interfaces in othercommunities and from isolated ports

withintheir private VLAN.

Trunkports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.Note

Primaryand secondary VLANs have these characteristics:

•PrimaryVLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a

memberof the primary VLAN. The primary VLAN carries unidirectional trafficdownstream from the

promiscuousports to the (isolated and community) host ports and to other promiscuous ports.

•IsolatedVLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary

VLANthat carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the

gateway.

•CommunityVLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the

communityports to the promiscuous port gateways and to other host ports in the same community. You

canconfigure multiple community VLANs in a private VLAN.

Apromiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.

Layer3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port,

youcan connect a wide range of devices as access points to a private VLAN. For example, you can use a

promiscuousport to monitor or back up all the private VLAN servers from an administration workstation.

Related Topics

Configuringa Layer 2 Interface as a Private VLAN Host Port, on page 96

Example:Configuring an Interface as a Host Port, on page 102

Configuringa Layer 2 Interface as a Private VLAN Promiscuous Port, on page 98

Example:Configuring an Interface as a Private VLAN Promiscuous Port, on page 103

Private VLANs in Networks

Ina switched environment, you can assign an individual private VLAN and associated IP subnet to each

individualor common group of end stations. The end stations need to communicate only with a default gateway

tocommunicate outside the private VLAN.

Youcan use private VLANs to control access to end stations in these ways:

Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1

OL-29440-01 89

Configuring Private VLANs

Private VLANs in Networks

Contents

Main www.cisco.com/go/trademarks CONTENTS Page Page Page Page Page Page Page Preface Document Conventions Page Related Documentation Obtaining Documentation and Submitting a Service Request Page CHAPTER 1 Using the Command-Line Interface Information About Using the Command-Line Interface Command Modes Page Using the Help System Understanding Abbreviated Commands No and default Forms of Commands CLI Error Messages Configuration Logging How to Use the CLI to Configure Features Configuring the Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines That Wrap Searching and Filtering Output of show and more Commands Accessing the CLI through a Console Connection or through Telnet Page CHAPTER 2 Configuring VTP Prerequisites for VTP Information About VTP VTP VTP Domain VTP Modes VTP Advertisements VTP Version 2 VTP Version 3 VTP Pruning Page VTP and Switch Stacks VTP Configuration Guidelines Configuration Requirements VTP Settings Domain Names for Configuring VTP Passwords for the VTP Domain VTP Version Default VTP Configuration How to Configure VTP Configuring VTP Mode Page Configuring a VTP Version 3 Password Configuring a VTP Version 3 Primary Server Enabling the VTP Version Enabling VTP Pruning Page Configuring VTP on a Per-Port Basis Adding a VTP Client Switch to a VTP Domain Page Monitoring VTP Configuration Examples for VTP Example: Configuring the Switch as a VTP Server Example: Configuring a Hidden Password Example: Configuring a VTP Version 3 Primary Server Example: Configuring VTP on a Per-Port Basis Feature History and Information for VTP Page CHAPTER 3 Configuring VLANs Prerequisites for VLANs Restrictions for VLANs Information About VLANs Logical Networks Supported VLANs VLAN Port Membership Modes Normal-Range VLAN Overview Token Ring VLANs Normal-Range VLANs Configuration Process VLAN Configuration Saving Process Normal-Range VLAN Configuration Guidelines Extended-Range VLAN Configuration Guidelines Default Ethernet VLAN Configuration Default VLAN Configuration How to Configure VLANs How to Configure Normal-Range VLANs Creating or Modifying an Ethernet VLAN Page Deleting a VLAN Assigning Static-Access Ports to a VLAN Page How to Configure Extended-Range VLANs Creating an Extended-Range VLAN Page Creating an Extended-Range VLAN with an Internal VLAN ID Page Monitoring VLANs Configuration Examples Example: Creating a VLAN Name Example: Configuring a Port as Access Port Example: Creating an Extended-Range VLAN Page Feature History and Information for VLAN Page CHAPTER 4 Configuring VLAN Trunks Prerequisites for VLAN Trunks Restrictions for VLAN Trunks Information About VLAN Trunks Trunking Overview Trunking Modes Layer 2 Interface Modes Allowed VLANs on a Trunk Load Sharing on Trunk Ports Network Load Sharing Using STP Priorities Network Load Sharing Using STP Path Cost Feature Interactions Default Layer 2 Ethernet Interface VLAN Configuration How to Configure VLAN Trunks Configuring an Ethernet Interface as a Trunk Port Configuring a Trunk Port Page Defining the Allowed VLANs on a Trunk Page Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Configuring Trunk Ports for Load Sharing Configuring Load Sharing Using STP Port Priorities Page Page Page Configuring Load Sharing Using STP Path Cost Page Page Configuration Examples for VLAN Trunking Example: Configuring an IEEE 802.1Q Trunk Example: Removing a VLAN Feature History and Information for VLAN Trunks CHAPTER 5 Configuring Private VLANs Prerequisites for Private VLANs Secondary and Primary VLAN Configuration Private VLAN Port Configuration Restrictions for Private VLANs Limitations with Other Features Information About Private VLANs Private VLAN Domains Secondary VLANs Private VLANs Ports Private VLANs in Networks IP Addressing Scheme with Private VLANs Private VLANs Across Multiple Switches Private VLAN Interaction with Other Features Private VLANs and Unicast, Broadcast, and Multicast Traffic Private VLANs and SVIs Private VLANs and Switch Stacks Private VLAN Configuration Tasks Default Private VLAN Configuration How to Configure Private VLANs Configuring and Associating VLANs in a Private VLAN Page Page Configuring a Layer 2 Interface as a Private VLAN Host Port Page Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface Page Monitoring Private VLANs Configuration Examples for Private VLANs Example: Configuring a Primary VLAN, Isolated VLAN, and a Community of VLANs Example: Configuring an Interface as a Host Port Example: Configuring an Interface as a Private VLAN Promiscuous Port Example: Mapping Secondary VLANs to a Primary VLAN Interface Example: Monitoring Private VLANs Feature History and Information for Private VLANs Page CHAPTER 6 Configuring VMPS Prerequisites for VMPS Restrictions for VMPS Information About VMPS Dynamic VLAN Assignments Dynamic-Access Port VLAN Membership Default VMPS Client Configuration How to Configure VMPS Entering the IP Address of the VMPS Configuring Dynamic-Access Ports on VMPS Clients Page Reconfirming VLAN Memberships Changing the Reconfirmation Interval Changing the Retry Count Troubleshooting Dynamic-Access Port VLAN Membership Monitoring the VMPS Configuration Example for VMPS Example: VMPS Configuration Page Page Feature History and Information for VMPS CHAPTER 7 Configuring IEEE 802.1Q and Layer 2 Protocol Tunneling Prerequisites for Configuring Tunneling IEEE 802.1Q Tunneling and Incompatibilities Layer 2 Protocol Tunneling Page Layer 2 Tunneling for EtherChannels Information about Tunneling IEEE 802.1Q and Layer 2 Protocol Overview IEEE 802.1Q Tunneling Page Page IEEE 802.1Q Tunneling Configuration Guidelines Native VLANs System MTU Default IEEE 802.1Q Tunneling Configuration Layer 2 Protocol Tunneling Overview Page Layer 2 Protocol Tunneling on Ports Default Layer 2 Protocol Tunneling Configuration How to Configure Tunneling Configuring an IEEE 802.1Q Tunneling Port Page Configuring Layer 2 Protocol Tunneling Page Page Configuring the SP Edge Switch Page Page Configuring the Customer Switch Page Configuration Examples for IEEE 802.1Q and Layer 2 Protocol Tunneling Example: Configuring an IEEE 802.1Q Tunneling Port Example: Configuring Layer 2 Protocol Tunneling Examples: Configuring the SP Edge and Customer Switches SPedge switch2 configuration: Monitoring Tunneling Status Page Feature History and Information for Tunneling CHAPTER 8 Configuring Voice VLANs Prerequisites for Voice VLANs Restrictions for Voice VLANs Information About Voice VLAN Voice VLANs Cisco IP Phone Voice Traffic Cisco IP Phone Data Traffic Voice VLAN Configuration Guidelines Default Voice VLAN Configuration How to Configure Voice VLAN Configuring Cisco IP Phone Voice Traffic Page Configuring the Priority of Incoming Data Frames Page Monitoring Voice VLAN Configuration Examples for Voice VLANs Example: Configuring Cisco IP Phone Voice Traffic Example: Configuring a Port Connected to an IP Phone Not to Change Frame Priority Page Feature History and Information for Voice VLAN INDEX C D E F H M N P R S