A private VLAN is used to restrict a client so that it can only access a specific port or limited users. Each port can be configured in 3 ways:
1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers
2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.
3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)
The configuration of the private VLAN is shown below:
(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association
Then the port needs to be set in private mode:
(config)#interface fast
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan
1. Promiscuous mode where the client attached to that port can access primary and secondary VLAN clients. Usually, this mode is applied to gateway devices such as routers
2. Isolated mode where the client can only communicate with the primary VLAN and with devices in promiscuous ports., but not to the host in the same secondary VLAN (Same VLAN) or different secondary VLAN (different VLAN). Basically the client can communicate only a one-on-one relationship with the gateway.
3. Community mode where the client can communicate only with other host in the same secondary VLAN, and with devices in promiscuous ports, but not to other host in secondary VLAN (different VLAN)
The configuration of the private VLAN is shown below:
(config)#vlan
(config-vlan)#private-vlan community // it can also be set as isolated or primary
Private VLAN need to be set only on VTP transparent mode*. Then the private VLAN needs to be associated to a primary VLAN.
(config-vlan)#private association
Then the port needs to be set in private mode:
(config)#interface fast
(config)#switchport mode access // make it an access port first
(config)#switchport mode private-vlan
No comments:
Post a Comment