11-14
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 11 Configuring VLANs
Configuring Private VLANs
Understanding How Private VLANs Work
Private VLANs provide Layer-2 isolation between ports within the same private VLAN on the
Catalyst 6000 family switches. Ports belonging to a private VLAN are associated with a common set of
supporting VLANs that are used to create the private VLAN structure.
There are three types of private VLAN ports: promiscuous, isolated, and community.
•
A promiscuous port communicates with all other private VLAN ports and is the port you use to
communicate with routers, LocalDirector, backup servers, and administrative workstations.
•
An isolated port has complete Layer 2 separation from other ports within the same private VLAN
with the exception of the promiscuous port.
•
Community ports communicate among themselves and with their promiscuous ports. These ports
are isolated at Layer 2 from all other ports in other communities or isolated ports within their private
VLAN.
Privacy is granted at the Layer 2 level by blocking outgoing traffic to all isolated ports. All isolated ports
are assigned to an isolated VLAN where this hardware function occurs. Traffic received from an isolated
port is forwarded to all promiscuous ports only.
Within a private VLAN are four distinct classifications of VLANs: a single primary VLAN, a single
isolated VLAN, and a series of community or two-way community VLANs.
You must define each supporting VLAN within a private VLAN structure before you can configure the
private VLAN:
•
Primary VLAN—Conveys incoming traffic from the promiscuous port to all other promiscuous,
isolated, community, and two-way community ports.
•
Isolated VLAN—Used by isolated ports to communicate to the promiscuous ports. The traffic from
an isolated port is blocked on all adjacent ports within its PVLAN and can only be received by its
promiscuous ports.
•
Community VLAN—Unidirectional VLAN used by a group of community ports to communicate
among themselves and transmit traffic to outside the PVLAN through the designated promiscuous
port.
•
Two-way community VLAN—Bidirectional VLAN used by a group of community ports to
communicate among themselves and to and from community ports from and to the Multilayer
Switch Feature Card (MSFC).
Note
With software release 6.2(1) and later releases, you can use two-way community VLANs
to perform an inverse mapping from the primary VLAN to the secondary VLAN when
the traffic crosses the boundary of a private VLAN through an MSFC promiscuous port.
Both outbound and inbound traffic can be carried on the same VLAN allowing
VLAN-based features such as VACLs to be applied in both directions on a
per-community (per customer) basis.
To create a private VLAN, you assign two or more normal VLANs in the normal VLAN range: one
VLAN is designated as a primary VLAN, and a second VLAN is designated as either an isolated,
community, or two-way community VLAN. If you choose, you can then designate additional VLANs as
separate isolated, community, or two-way community VLANs in this private VLAN. After designating
the VLANs, you must bind them together and associate them to the promiscuous port.
You can extend private VLANs across multiple Ethernet switches by trunking the primary, isolated, and
any community or two-way community VLANs to other switches that support private VLANs.