Modifying the Operational state of VLANs
In vlan config,
#state suspend
#state activate
In VTP domain, can use "shutdown" configuration to locally shutdown the vlan without affecting other switches.
Private VLANs allow a switch to separate ports as if they were on different VLANs, while consuming only a single subnet.
Conceptually, a Private VLAN is a mechanism that partitions a given VLAN into an arbitrary number of nonoverlapping sub-VLANs, or secondary VLANs. Outside world continues to see only the original VLAN - in this cased called primary VLAN.
Secondary VLANs can be of two types: community VLANs and isolated VLANs. Ports assigned to the same community VLAN can communicate with each other directly, but they are not allowed to communicate with ports in any other VLAN. This behavior is similar to ordinary VLANs.
Ports assigned to an isolated VLAN can neither communicate with each other nor with ports in any other VLAN.
A single primary VLAN can be associated with zero or more community VLANs and with at most one isolated VLAN. A secondary VLAN, either a community or an isolated VLAN, must be associated with exactly one primary VLAN.
Both community and isolated ports behave as normal access ports—they technically belong to a single VLAN and they do not tag frames.
A promiscuous port is not associated with any particular secondary VLAN. Instead, it is associated with the corresponding primary VLAN itself. A device connected to a promiscuous port can communicate with devices in all secondary VLANs associated with this primary VLAN and vice versa.
A frame received on a promiscuous, community, or isolated port can always be forwarded through a trunk port.
A frame received on a community or isolated port will be tagged with the ID of the corresponding secondary VLAN when forwarded out a trunk.
A frame received on a promiscuous port will be tagged with the ID of the corresponding primary VLAN when forwarded out a trunk.
A Primary VLAN can be seen as a VLAN carrying “downstream” traffic from promiscuous ports to other promiscuous ports and hosts in all associated secondary VLANs.
Secondary VLANs do not exist “inside” their primary VLAN; rather, they are only associated with it.
Promiscuous PVLAN Trunk - Whenever a frame from a secondary VLAN is going to be sent out such a trunk, its VLAN tag will be rewritten with the appropriate primary VLAN ID. Rewrites is necessary when a trunk carrying a set of VLANs including Private VLANs is to be connected to an external device that does not support Private VLANs, yet which shall be reachable from the Private VLANs as if connected to a promiscuous port.
In essence, a Promiscuous PVLAN Trunk port rewrites the secondary VLAN ID into the pri mary PVLAN ID upon sending a frame. When a frame is received, no tag manipulation is performed. Also, no tag manipulation is performed for frames in ordinary VLANs.
Isolated PVLAN Trunk - translates a primary VLAN ID into the ID of the isolated VLAN that is associated with the primary VLAN. This is used to extend the isolated VLAN over a trunk carrying multiple VLANs to a switch that does not support Private VLANs but is capable of isolating its own ports.
In essence, an Isolated PVLAN Trunk port rewrites the primary VLAN ID into the isolated secondary VLAN ID upon sending a frame. When a frame is received, no tag manipulation is performed. Also, no tag manipulation is performed for frames in ordinary VLANs.
Configuration
//If not running VTPv3, a switch must be put into VTP Transparent mode before configuring Private VLANs#vlan 199
#name Isolated
#private-vlan isolated
#vlan 101
#name Community1
#private-vlan community
#vlan 102
#name Community2
#private-vlan community
#vlan 103
#name Community3
#private-vlan community
#vlan 100
#name Primary1
#private-vlan primary
#private-vlan association 101-103,199
#int range f0/1 -3
#switchport mode private-vlan host
#switchport private-vlan host-association 100 101
#int f0/13
#switchport mode private-vlan promiscuous
#switchport private-vlan mapping 100 101-103,199
If a SVI is used as a gateway for devices associated with primary Vlan100, it must also be configured as promicuous
#interface vlan100
#private-vlan mapping 101-103,199
#ip address 192.168.100.254 255.255.255.0
show vlan private-vlan
No comments:
Post a Comment