Private VLAN's
Primary vlan must be associated with secondary vlans through an association statement. Primary vlans can communicate with secondary vlans. Secondary vlans can communicate with the primary vlan, but not with other secondary vlans unless they are in the same "community." Secondary vlans can be one of these two types:
- Isolated- isolated from everything except the primary vlan. CAN NOT communicate with other secondary or isolated secondary vlans.
- Community- secondary community hosts can communicate with each other, but not with any other secondary vlans. They can also communicate with the primary vlan, or normal vlan.
- Promiscous- use this for routers/firewalls/gateways. Ports in promiscous mode bypass the rules or private vlans and can communicate with any secondary or primary vlan in any type (isolated or community).
- Host- connected to a regular host...must abide by the private vlan rulesets.
(config)vlan [vlan-id]
(config-vlan)private vlan [isolated, primary, community]
(config-vlan)private-vlan association [secondary vlan list] [add|remove] - use this on the primary vlan to associate the secondary vlans ***
Interface config
(config-if)switchport mode private-vlan [host | promiscous] - set the mode
(config-if)switchport private-vlan host-association [primary vlan id] [secondary vlan id] - if in host mode
(config-if)switchport private-vlan mapping [primary vlan id][secondary vlan list] [add|remove] - this is for promiscous mode and used to apply mappings to SVI's as well.
look familiar :) It basically replace these....:
(config-if)switchport mode access
(config-if)switchport access vlan [vlan-id]
No comments:
Post a Comment