cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1288
Views
0
Helpful
13
Replies

Private vlan

adamgibs7
Level 6
Level 6

Dears,

I have 100  of subnets in my corporate core switch I need users in same vlan not to communicate each other , how I can control them

Please specify solution apart from below

 

  • Private vlans
  • vlan access-map

Thanks

13 Replies 13

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Are these users all connected to the same switch? If so, you could configure their switchport as protected:

!
int gix/x/x
  switchport protected
!

This will prevent these ports with communicating with each other.

You may also want to go a step further and block unknown unicast and multicast traffic to these ports:

!
int gix/x/x
  switchport protected
  switchport block unicast
  switchport block multicast
!

cheers,

Seb.

Dear,

 

If I have 3 switches on one floor with one vlan X , the 2 switches are in the stack and the third one is standalone in this scenario Switchport protected will work for all host in that vlan X or a users from stack switch will be able to communicate with standalone switch though the switchport protected command is enabled on every port of the 3 switches.

 

 switchport blocking unicast,& multicast if we apply then the unknown flooding will not happen on these ports then how the switch will come to know the host when it doesn't have in his address table. 

 

Thanks

Hello, 

 

in addition to Seb's post, and depending on your platform, you also might want to look at PACLs (Port ACLs), see the link below for configuration details.

 

That said, VACLs are specifically designed for the purpose of controlling intra-Vlan traffic, which is what you are after, so eventually they will provide the best solution...

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.pdf

Dear George,

 

My goal to block intra-vlan traffic on the vlan, how I can manage 254 mac addresses per vlan's  to restrict per port on the switch,

 

Please correct me if I m wrong.

Thanks

Dear Expert

 

Please reply

 

thanks

 

 

Hello,

 

what are you trying to accomplish ? Allow one MAC address per port ?

I want to accomplish within one Vlan host should not communicate between with each other, they shld only communicate with their Default gateway

Hello,


This is the very reason private vlans were created. Is there a reason you can't use them?

 

As mentioned before, you could use protected ports but those are only locally significant to a specific switch so once traffic leaves that switch, it will not longer remember if it came from a protected port or not. 

 

Because of this limitation, private vlans were created. I do not believe there is another way to accomplish this. 

 

Hope this helps!

-Bradley Selzer
CCIE# 60833

Dears

 

Lets assume I am going with Private Vlan than for each Vlan 254 host I have to create a isolated Vlan.

 

Hi there,

For each primary VLAN (eg: 100) you associate one isolated VLAN (eg: 101). That VLAN ID would be used for all 254 hosts.

 !
 vlan 100
  name PRIMARY_100
   private-vlan primary
   private-vlan association 101
 !
 vlan 101
  name PVLAN_101
   private-vlan isolated
 !

cheers,

Seb.

 

the private Vlan 101 will be for each host or it will for each Vlan , I mean to say

 

there are 254 host in one subnet so for all host I have to create a isolated Vlan from 101 to 354 and then associated 101-354 Vlan to primary Vlan 100

 

please correct me if I m wrong.

thanks

You just need to create VLANs 100 and 101, so you would have something like:

!
interface gigatibethernet0/1
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!
interface gigatibethernet0/2
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!
interface gigatibethernet0/3
    switchport mode private-vlan host 
    switchport private-vlan host-association 100 101
!

cheers,

Seb.

thanks for your reply,

 

I have a query related to the promiscuous port as in my scenario i don't have a router instead i have a ASA service module and private Vlan primary and secondary are forwarded to the ASA-SM, so if i am having a ASA-SM mudule setup then what procedures has to be followed.

 

Also the end user access port contains a voice vlan so i get a below error when applying a switchport mode commands:

Switch(config-if)#int  gigabitEthernet 1/0/35
Switch(config-if)#switchport mode private-vlan host
Command rejected: Gi1/0/35 is configured with a voice Vlan.

 

Regards