Wednesday, March 14, 2012

Cisco Private VLAN Configuration


Cisco Private VLAN Configuration

private VLAN 里有3种port:
isolated ,community ,promiscuous。
private VLAN 有3种 :
primary VLAN ,isolated VLAN ,community VLAN。
配置命令分别是:
vlan 901
private-vlan isolated
vlan 902
private-vlan community
vlan 900
private-vlan primary

primary VLAN和他所关联的isolated VLAN community VLAN都可以通信.
isolated VLAN 和community VLAN都属于secondary VLAN,他们之间的区别是:同属于一个isolated VLAN的主机不可以互相通信,同属于一个community VLAN的主机可以互相通信。但他们都可以和和所关联的primary VLAN通信.

配置primary VLAN和secondary VLAN关联的命令是:
vlan 900
private-vlan primary
private-vlan association 901,902
注意一个primary VLAN只可以关联一个isolated VLAN + 多个community VLAN

把端口放进isolated VLAN 或者community VLAN的命令是
interface GigabitEthernet4/11
switchport
switchport private-vlan host-association 900 901
switchport mode private-vlan host
//因为901是isolated VLAN,g4/11现在是一个isolated port

interface GigabitEthernet4/12
switchport
switchport private-vlan host-association 900 902
switchport mode private-vlan host
//因为902是community VLAN,g4/12现在是一个community port

注意在private vlan里 switchport access vlan xxx 这一句已经不起作用了。
起作用的是 switchport private-vlan host-association 900 902这一句,这一句把端口放入primary vlan 900和secondary vlan 902。

把端口放进primary VLAN 的命令是:
interface GigabitEthernet4/14
switchport
switchport private-vlan mapping 900 901,902
switchport mode private-vlan promiscuous
//g4/14现在是一个promiscuous port
同样,switchport access vlan xxx 已经不起作用了,
起作用的是 switchport private-vlan mapping 900 901,902,这一句把端口放入primary vlan 900和secondary vlan 901,902。
注意这里promiscuous port可以属于多个secondary VLAN,但只可以属于一个primary VLAN,就好像普通的access port只能属于一个vlan是一样的。
在配置vlan的3层地址的时候,只可以配置在primary VLAN上,从这里也可以看出,primary VLAN在某些地方是和普通vlan一样工作的,secondary VLAN则更特殊一些。

下面看两种方法来实现让4/11和4/12可以和4/14通信,但4/11和4/12互相不可以通信
方法一,用isolated VLAN:

vlan 901
private-vlan isolated

vlan 900
private-vlan primary
private-vlan association 901

interface GigabitEthernet4/11
switchport
switchport private-vlan host-association 900 901
switchport mode private-vlan host

interface GigabitEthernet4/12
switchport
switchport private-vlan host-association 900 901
switchport mode private-vlan host

interface GigabitEthernet4/14
switchport
switchport private-vlan mapping 900 901
switchport mode private-vlan promiscuous


方法二,用community VLAN

vlan 901
private-vlan community

vlan 902
private-vlan community

vlan 900
private-vlan primary
private-vlan association 901,902

No comments: