1 / 19

Implementing VLANs in Campus Networks

Configuring PVLANs. Implementing VLANs in Campus Networks. Access Switch: Protected Port . Protected ports can communicate only with unprotected ports. Protected ports are useful for access switches. Configures a protected or unprotected port. About PVLANs.

mikkel
Download Presentation

Implementing VLANs in Campus Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Configuring PVLANs Implementing VLANs in Campus Networks

  2. Access Switch: Protected Port • Protected ports can communicate only with unprotected ports. • Protected ports are useful for access switches. • Configures a protected or unprotected port.

  3. About PVLANs • A primary VLAN is divided into secondary VLANs. • These VLANs are isolated or community VLANs. • The host can communicate only with promiscuous ports. • The host on community VLANs can communicate also within same community. • PVLANs are not supported on Catalyst 2960 Switches.

  4. PVLAN Port Types • Isolated • Communicates with only promiscuous ports • Promiscuous • Communicates with all other ports • Community • Communicates with the other members of community and all promiscuous ports

  5. Isolated PVLAN Configuration • Set VTP transparent. • Create secondary VLANs. • Create a primary VLAN. • Associate the secondary and primary VLANs. • Configure the port as host or promiscuous. • Configure the private VLAN association on ports. • Configure the VLAN mapping on an internal IP interface for VLAN.

  6. Isolated PVLAN Configuration (1) • Configure the private VLANs and VLAN association. sw1(config)# vtp transparent sw1(config)# vlan 201 sw1(config-vlan)# private-vlan isolated sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primary sw1(config-vlan)# private-vlan association add 201 sw2(config)# vtp transparent sw2(config)# vlan 201 sw2(config-vlan)# private-vlan isolated sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primary sw2(config-vlan)# private-vlan association add 201

  7. Isolated PVLAN Configuration (2) sw2(config)# interface range fastethernet 0/1 - 2 sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201 Configure the PVLAN host port. sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 201 (VLAN0201) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL

  8. Isolated PVLAN Configuration (3) • sw2(config)# interface fastethernet 0/12 • sw2(config-if)# switchport mode private-vlan promiscuous • sw2(config-if)# switchport private-vlan mapping 100 201 Configure the private VLAN promiscuous port. Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 201 (VLAN0201) Operational private-vlan: none Trunking VLANs Enabled: ALL

  9. Isolated PVLAN Verification sw# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- --------------------------- 100 201 isolated fa0/1,fa0/2 sw# show vlan private-vlan type Vlan Type ---- ----------------- 100 primary 201 isolated Display the configured private VLANs, VLAN types, and mappings.

  10. Community PVLAN Configuration • Set VTP transparent. • Create secondary VLANs. • Create a primary VLAN. • Associate secondary and primary VLANs. • Configure the port as host or promiscuous. • Configure the private VLAN association on the ports. • Configure a VLAN mapping on the internal IP interface for VLAN.

  11. sw1(config)# vtp transparent sw1(config)# vlan 202 sw1(config-vlan)# private-vlan community sw1(config)# vlan 100 sw1(config-vlan)# private-vlan primary sw1(config-vlan)# private-vlan association add 202 Community PVLAN Configuration (1) sw2(config)# vtp transparent sw2(config)# vlan 202 sw2(config-vlan)# private-vlan community sw2(config)# vlan 100 sw2(config-vlan)# private-vlan primary sw2(config-vlan)# private-vlan association add 202 Configure private VLANs and VLAN association.

  12. sw2(config)# interface range fastethernet 0/1 - 2 sw2(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202 Community PVLAN Configuration (2) Configure a private VLAN host port. sw2# show interfaces fastethernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: 202 (VLAN0202) Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL

  13. sw2(config)# interface fastethernet 0/12 sw2(config-if)# switchport mode private-vlan promiscuous sw2(config-if)# switchport private-vlan mapping 100 202 Community PVLAN Configuration (3) Configure a private VLAN promiscuous port. Sw2# show interfaces fastethernet 0/12 switchport Name: Fa0/12 Switchport: Enabled Administrative Mode: private-vlan promiscuous Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative private-vlan host-association: none ((Inactive)) Administrative private-vlan mapping: 100 (VLAN0100) 202 (VLAN0202) Operational private-vlan: none Trunking VLANs Enabled: ALL

  14. Community PVLAN Verification sw2# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- --------------------------- 100 202 community fa0/1,fa0/2 sw# show vlan private-vlan type Vlan Type ---- ----------------- 100 primary 202 community Display configured private VLANs, VLAN types, and mappings.

  15. PVLAN Example • DNS, web, and SMTP servers are in DMZ and in same subnet. • DNS servers can communicate with each other and with router. • Web and SMTP servers can communicate only with router.

  16. PVLAN Example (Cont.) sw(config)# vtp transparent sw(config)# vlan 201 sw(config-vlan)# private-vlan isolated sw(config)# vlan 202 sw(config-vlan)# private-vlan community sw(config)# vlan 100 sw(config-vlan)# private-vlan primary sw(config-vlan)# private-vlan association 201,202 sw(config)# interface fastethernet 0/24 sw(config-if)# switchport mode private-vlan promiscuous sw(config-if)# switchport private-vlan mapping 100 201,202 sw(config)# interface range fastethernet 0/1 - 2 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 202 sw(config)# interface range fastethernet 0/3 - 4 sw(config-if)# switchport mode private-vlan host sw2(config-if)# switchport private-vlan host-association 100 201

  17. PVLANs Across Multiple Switches • PVLANs can be carried over regular 802.1Q trunks. • PVLAN trunks can also be specifically created, in isolated modes (when downstream switch does not support PVLANs) or promiscuous mode (when upstream switch does not support PVLANs).

  18. Summary • Device-to-device communication within a single VLAN can be blocked with the protected port feature. • Device communication within the same VLAN can be fine-tuned using PVLANs. • A PVLAN is associated with a primary VLAN and then is mapped to one or several ports. • A primary VLAN can map to one isolated and several community VLANs. • A typical use of PVLANs is for device isolation in a DMZ environment. • PVLANs can span several switches using regular 802.1Q trunks or PVLAN trunks.

More Related