11-21
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 11 Configuring VLANs
Configuring Private VLANs on the Switch
To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one
VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated,
community, or two-way community VLAN. If you choose, you can then designate additional VLANs as
separate isolated, community, or two-way community VLANs in this private VLAN. After designating
the VLANs, you must bind them together and associate them to the promiscuous port.
You can extend the private VLANs across multiple Ethernet switches by trunking the primary, isolated,
and any community or two-way community VLANs to the other switches that support the private
VLANs.
In an Ethernet-switched environment, you can assign an individual VLAN and associated IP subnet to
each individual or common group of stations. The servers require only the ability to communicate with
a default gateway to gain access to the end points outside the VLAN itself. By incorporating these
stations, regardless of ownership, into one private VLAN, you can do the following:
•
Designate the server ports as isolated to prevent any interserver communication at Layer 2.
•
Designate the ports to which the default gateway(s), backup server, or LocalDirector are attached as
promiscuous to allow all stations to have access to these gateways.
•
Reduce VLAN consumption. You only need to allocate one IP subnet to the entire group of stations
because all stations reside in one common private VLAN.
On an MSFC port or a nontrunk promiscuous port, you can remap as many isolated or community
VLANs as desired; however, while a nontrunk promiscuous port can remap to only one primary VLAN,
an MSFC port can only connect an MSFC router. With a nontrunk promiscuous port, you can connect a
wide range of devices as “access points” to a private VLAN. For example, you can connect a nontrunk
promiscuous port to the “server port” of a LocalDirector to remap a number of isolated or community
VLANs to the server VLAN so that the LocalDirector can load balance the servers that are present in the
isolated or community VLANs, or you can use a nontrunk promiscuous port to monitor and/or back up
all the private VLAN servers from an administration workstation.
Note
A two-way community VLAN can be mapped only on the MSFC promiscuous port (it cannot be mapped
on nontrunk or other types of promiscuous ports).
Private VLAN Configuration Guidelines
This section describes the guidelines for configuring private VLANs:
Note
In this section, the term
community VLAN
is used for both the unidirectional community VLANs and
two-way community VLANs unless specifically differentiated.
Note
If VLAN port-provisioning verification is enabled, you must specify the VLAN name
in addition to
the
VLAN number when assigning the switch ports to the primary and secondary VLANs. For more
information, see the
“Enabling or Disabling VLAN Port-Provisioning Verification” section on page 11-12
.
•
Designate one VLAN as the primary VLAN.
•
You have the option of designating one VLAN as an isolated VLAN, but you can use only one
isolated VLAN.
