47-3
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 47 Configuring Private VLANs
About Private VLANs
In a switched environment, you can assign an individual PVLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate only with a default
gateway to communicate outside the PVLAN.
You can use PVLANs to control access to end stations in these ways:
•
Configure selected interfaces connected to end stations as isolated ports to prevent any
communication at Layer 2. For example, if the end stations are servers, this configuration prevents
Layer 2 communication between the servers.
•
Configure interfaces connected to default gateways and selected end stations (such as, backup
servers) as promiscuous ports to allow all end stations access to a default gateway.
•
Reduce VLAN and IP subnet consumption; you can prevent traffic between end stations even though
they are in the same VLAN and IP subnet.
With a promiscuous port, you can connect a wide range of devices as access points to a PVLAN. For
example, you can connect a promiscuous port to the server port of a LocalDirector to connect an
isolated VLAN or a number of community (or twoway-community) VLANs to the server.
LocalDirector can load balance the servers present in the isolated, community, or
twoway-community VLANs, or you can use a promiscuous port to monitor or back up all the
PVLAN servers from an administration workstation.
PVLAN Terminology
The following table defines the key terms used in this chapter:
Term
Definition
PVLANs
PVLANs are sets of VLAN pairs that share a common
primary identifier and provide a mechanism for achieving
layer-2 separation between ports while sharing a single
layer-3 router port and IP subnet.
Secondary VLAN
A type of VLAN used to implement PVLANs. Secondary
VLANs are associated with a primary VLAN, and are used
to carry traffic from hosts to other allowed hosts or to
routers.
Community Port
A community port is a host port that belongs to a community
secondary VLAN. Community ports communicate with
other ports in the same community VLAN and with
promiscuous ports. These interfaces are isolated at Layer 2
from all other interfaces in other communities and from
isolated ports within their PVLAN.
Community VLAN
Community VLAN—A community VLAN is a secondary
VLAN that carries upstream traffic from the community
ports to the promiscuous port gateways and to other host
ports in the same community. You can configure multiple
community VLANs in a PVLAN.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...