Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
3
Replies

Private VLANs simple config help

Andy White
Level 3
Level 3

‎03-16-2013 01:21 AM - edited ‎03-07-2019 12:16 PM

Hi,

Have you ever had an area of network that doesn't 'click' with you, well PVLANs just isnt with me.  It seems we have a site that is on one VLAN that has hosts that shouldn't be able to communicate with each other, but need to talk to an on-site server in the same VLAN and remote servers via the router, how can I do this?  I'm wondering if someone can help with the config and it may make sense on a LAN I understand.

Or can VACLs do this?

pvlan.JPG

Thanks

Labels:
0 Helpful
3 Replies 3

blau grana
Level 7
Level 7

‎03-16-2013 03:43 AM

Hello Andy,

This config should do it:

hostname switch1

vlan 100

private-vlan primary

private-vlan association 10

vlan 10

private-vlan isolated

int xyz

description to host

switchport private-vlan host

switchport mode private-vlan host-association 100 10

hostname switch2

vlan 100

private-vlan primary

private-vlan association 10

vlan 10

private-vlan isolated

int xyz

description to host

switchport mode private-vlan host

switchport private-vlan host-association 100 10

hostname switch-empty

vlan 100

private-vlan primary

private-vlan association 10

vlan 10

private-vlan isolated

int xyz

description to server

switchport mode private-vlan promiscuous

switchport mode private-vlan mapping 100 10

int xyz

description to router

switchport mode private-vlan promiscuous

switchport mode private-vlan mapping 100 10

Each switch has to be manually configured with vlans (VTP do not support private vlans) and mappings.

Trunks between switch must allow both vlans.

Check this for details:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

Andrew White
Level 2
Level 2
In response to blau grana

‎03-16-2013 06:53 AM

So I am trying to understand this, you created a new VLAN (100) and put the router and server into it and associated VLAN 10 with 100 and isolated the host ports so they can't communicate with each other and set the server and router to promiscuous mode as they need to contact everything?

0 Helpful

blau grana
Level 7
Level 7
In response to Andrew White

‎03-16-2013 07:04 AM

yes.

primary vlan 100 is associated with isolated vlan 10.

isolated vlan - hosts associated with this vlan can reach only primary vlan, not any other secondary vlan(isolated, community) also host associated with this vlan cannot communicate with each other, they can communicate only with primary vlan.

host vs promiscuous

host - switchport connected to regular host, port communicate only with promiscuous ports or ports on same community vlan, not with same ports in isolated vlan.

promiscuous - switchport connected to router (some gateway), this type of port can communicate with any ports associated with primary or secondary vlans.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful
Customers Also Viewed These Support Documents