Thursday, November 18, 2010

Private VLAN

A private VLAN is used to restrict a client so that it can only access a specific port or limited users. Each port can be configured in 3 ways:

1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers

2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.

3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)


The configuration of the private VLAN is shown below:

(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association // note that the primary vlan needs to be created first, it will not create it automatically

Then the port needs to be set in private mode:
(config)#interface fast // the port that we want to set
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan // host is used when we want to define the port attached to the client, promiscuous is used when we want to define the port attached to the gateway device.



No comments:

Post a Comment