Friday, June 12, 2009

Cisco Switch Private VLAN (PVLAN) Configuration

PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. They can be configured on a Layer 2 or 3 switch.

Please check Cisco's Private VLAN Catalyst Switch Support Matrix to see if your switch supports PVLANs.

PVLANS include three types of ports:
Promiscuous ports - can communicate with all interfaces.
Isolated ports - have complete Layer 2 separation from the other ports within the same PVLAN. Isolated ports can communicate only with promiscuous ports.
Community ports - communicate among themselves and with their promiscuous ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure.
A private VLAN uses VLANs three ways:

Primary VLAN carries traffic from promiscuous ports to isolated, community, and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN

The following ports are allowed to communicate with each other with the configuration below:
These 3 ports can communicate with each other: Gig2/2 (community 100), Gig2/3 (community 100), Gig2/1 (promiscuous)
These 3 ports can communicate with each other: Gig2/4 (community 200), Gig2/5 (community 200), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/6 (isolated), Gig2/1 (promiscuous)
These 2 ports can communicate with each other: Gig2/7 (isolated), Gig2/1 (promiscuous)

Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86

Switch(config)#interface gig2/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 10 100,200,86

Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100

Switch(config)#interface range Gig2/4 - 5
Switch(config-if-range)#switchport private-vlan host-association 10 200

Switch(config)#interface range Gig2/6 - 7
Switch(config-if-range)#switchport private-vlan host-association 10 86

