142
Configuring the private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
•
Primary
VLAN
—Used for upstream data exchange. A primary VLAN can be associated with
multiple secondary VLANs. The upstream device identifies only the primary VLAN.
•
Secondary
VLANs
—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A
in
As shown in
, the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 44 Private VLAN example
If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
•
Method 1:
a.
Create VLAN interfaces for the secondary VLANs.
b.
Assign IP addresses to the secondary VLAN interfaces.
•
Method 2:
c.
Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
d.
Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
e.
Enable local proxy ARP or ND on the primary VLAN interface.
The private VLAN feature cannot be used with IP multicast.
Configuration task list
To configure the private VLAN feature, perform the following tasks:
1.
Configure the primary VLAN.
Содержание H3C S7500E-X
Страница 70: ...57 ...