communities, or in isolated ports within their
PVLAN. Note: Because trunks can support the
VLANs carrying traffic between isolated, community, and
promiscuous ports, isolated and community port traffic might
enter or leave the switch through a trunk interface. PVLAN
ports are associated with a set of supporting VLANs that are
used to create the PVLAN structure. A PVLAN uses VLANs in three
ways: - As a primary VLAN: Carries traffic from
promiscuous ports to isolated, community, and other promiscuous
ports in the same primary VLAN.
- As an isolated
VLAN: Carries traffic from isolated ports to a promiscuous
port.
- As a community VLAN: Carries traffic
between community ports and to promiscuous ports. You can
configure multiple community VLANs in a PVLAN.
Isolated and community VLANs are called secondary VLANs. You
can extend PVLANs across multiple devices by trunking the
primary, isolated, and community VLANs to other devices that
support PVLANs. Note: A promiscuous port can service
only one primary VLAN. A promiscuous port can service one
isolated or many community VLANs. With a promiscuous port, you
can connect a wide range of devices as access points to a
PVLAN. For example, you can connect a promiscuous port to the
server port to connect an isolated VLAN or a number of
community VLANs to the server. A load balancer may be used to
load-balance the servers present in the isolated or community
VLANs, or you can use a promiscuous port to monitor or back up
all the PVLAN servers from an administration workstation.
Content 8.2 Protecting Against VLAN Attacks
8.2.6 Configuring PVLANs To configure a PVLAN on an
IOS-based Catalyst 3560, 3750, 4500, or 6500, follow these
steps: Step 1 Set VTP mode to transparent. Step
2 Create the secondary VLANs. Note: Isolated and
community VLANs are secondary VLANs. Step 3 Create the
primary VLAN. Step 4 Associate the secondary VLAN with
the primary VLAN. Only one isolated VLAN can be mapped to a
primary VLAN, but more than one community VLAN can be mapped to
a primary VLAN. Step 5 Configure an interface as an
isolated or community port. Step 6 Associate the
isolated port or community port with the primary-secondary VLAN
pair. Step 7 Configure an interface as a promiscuous
port. Step 8 Map the promiscuous port to the
primary-secondary VLAN pair. Use these commands to configure a
VLAN as a PVLAN: Switch(config)#vlan vlan_ID
Switch(config-vlan)#[no] private-vlan {isolated |
primary} The following example shows how to configure
VLAN202 as a primary VLAN and verify the configuration:
Switch#configure terminal
Switch(config)#vlan
202
Switch(config-vlan)#private-vlan
primary
Switch(config-vlan)#end
Switch#show vlan private-vlan type
Primary
Secondary Type Interfaces
------- ---------
----------------- ------------
202 primary This example
shows how to configure VLAN 200 as an isolated VLAN and verify
the configuration: Switch#configure terminal
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#end
Switch#show vlan
private-vlan type
Primary Secondary Type
Interfaces
------- --------- -----------------
------------
202 primary
200 isolated To associate
secondary VLANs with a primary VLAN, perform this procedure:
Switch(config)#vlan primary_vlan_ID
Switch(config-vlan)#[no] private-vlan association
{secondary_vlan_list | add
secondary_vlan_list | remove
secondary_vlan_list} When you associate secondary VLANs
with a primary VLAN, note the following: - The
secondary_vlan_list parameter contains only one isolated
VLAN ID.
- Use the remove keyword with the
secondary_vlan_list parameter to clear the association
between the secondary and primary VLANs. The list can contain
only one VLAN.
- Use the no keyword to clear all
associations with the primary VLAN.
- The command does
not take effect until you exit VLAN configuration mode.
To configure a Layer 2 interface as a PVLAN promiscuous
port, perform this procedure: Switch(config)#interface
{fastethernet | gigabitethernet}
slot/port
Switch(config-if)#switchport mode
private-vlan {host | promiscuous}
Switch(config-if)#[no] switchport private-vlan mapping
primary_vlan_ID {secondary_vlan_list |
add secondary_vlan_list | remove
secondary_vlan_list} When you configure a Layer 2
interface as a PVLAN promiscuous port, note the following:
- The secondary_vlan_list parameter cannot
contain spaces. It can contain multiple comma-separated items.
Each item can be a single PVLAN ID or a hyphenated range of
PVLAN IDs.
- Enter a secondary_vlan_list or use
the add keyword with a secondary_vlan_list to
map the secondary VLANs to the PVLAN promiscuous port.
- Use the remove keyword with a
secondary_vlan_list to clear the mapping between secondary
VLANs and the PVLAN promiscuous port.
- Use the
no keyword to clear all mappings with the PVLAN
promiscuous port.
This example shows how to
configure interface FastEthernet 5/2 as a PVLAN promiscuous
port, map it to a PVLAN, and verify the configuration:
Switch#configure terminal
Switch(config)#interface fastethernet 5/2
Switch(config-if)#switchport mode private-vlan
promiscuous
Switch(config-if)#switchport
private-vlan mapping 202 440
Switch(config-if)#end
Switch#show interfaces fastethernet 5/2
switchport
Name: Fa5/2
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational
Mode: down
Administrative Trunking Encapsulation:
negotiate
Negotiation of Trunking: On
Access Mode VLAN:
1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative private-vlan host-association: none ((Inactive))
Administrative private-vlan mapping: 202 (VLAN0202)
440 (VLAN0440)
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled:
2-1001
Capture Mode Disabled To configure a Layer 2
interface as a PVLAN host port, perform this procedure:
Switch(config)#interface {fastethernet |
gigabitethernet} slot/port
Switch(config-if)#switchport mode private-vlan {host
| promiscuous}
Switch(config-if)#[no] switchport
private-vlan host-association primary_vlan_ID
secondary_vlan_ID This example shows how to configure interface
FastEthernet 5/1 as a PVLAN host port and verify the
configuration: Switch#configure terminal
Switch(config)#interface fastethernet 5/1
Switch(config-if)#switchport mode private-vlan host
Switch(config-if)#switchport private-vlan
host-association 202 440
Switch(config-if)#end
Switch#show interfaces
fastethernet 5/1 switchport
Name: Fa5/1
Switchport: Enabled
Administrative Mode: private-vlan
host
Operational Mode: down
Administrative Trunking
Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1
(default)
Administrative private-vlan
host-association: 202 (VLAN0202)
Administrative
private-vlan mapping: none
Operational private-vlan:
none
Trunking VLANs Enabled: ALL
Pruning VLANs
Enabled: 2-1001
Capture Mode Disabled To permit routing of
secondary VLAN ingress traffic, perform this procedure:
Switch(config)#interface vlan primary_vlan_ID
Switch(config-if)#[no] private-vlan mapping
primary_vlan_ID {secondary_vlan_list | add
secondary_vlan_list | remove
secondary_vlan_list} When you permit routing on the