Anda di halaman 1dari 5

Private Vlan notes:

>create the PVLANS and define the type


vlan 101
private-vlan community
vlan 102
private-vlan isolated
>>associate pvlans with Primary pvlan
vlan 100
private-vlan primary
private-vlan association 101,102
>>Configure the phy interfaces to the HOSTS
switchport mode private-vlan host
switchport private-vlan host-association 100 101 <<<primary, secondary
>>Configure the SVI on the PRIMARY VLAN and associate to secondary
SVI appears to be a promiscuos port
SW1:
interface Vlan100
ip address 10.1.1.100 255.255.255.0
private-vlan mapping 101
SW2:
interface Vlan100
ip address 10.2.2.40 255.255.255.0
private-vlan mapping 102
>>>Config a PHY int as a promiscuous port
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 100 101 <<<primary, secondary
>>Interfaces configs
SW1(config-if-range)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous
SW1(config-if-range)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
>>Cant reconfigure a private vlan once associated
SW1(config-vlan)#vlan 101
SW1(config-vlan)#private-vlan isolated
%Command rejected: invalid private vlan type assignment. Isolated VLAN 102 is al
ready associated with primary VLAN 100.
>>>boucning
SW1(config-vlan)#vlan 100
SW1(config-vlan)#no private-vlan association 101
SW1(config-vlan)#
SW1(config-vlan)#
SW1(config-vlan)#vlan 101
SW1(config-vlan)#private-vlan isolated
*Mar 2 00:29:29.049: %PV-6-PV_MSG: Purged a private vlan mapping, Primary 100,
Secondary 101
*Mar 2 00:29:29.082: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c
hanged state to downvlanno private-vlan association 101
*Mar 2 00:29:30.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/14, changed state to down
*Mar 2 00:29:30.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/20, changed state to down
*Mar 2 00:29:30.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/22, changed stateprivate-vlan isolated
SW1(config-vlan)#
SW1(config-vlan)#
SW1(config-vlan)#vlan 100
SW1(config-vlan)#private-vlan association 101
SW1(config-vlan)#^Z
SW1#
*Mar 2 00:29:45.155: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100,
Secondary 101
*Mar 2 00:29:45.180: %SYS-5-CONFIG_I: Configured from console by console (CIERS
WB-LAB01, SJ)
*Mar 2 00:29:45.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c
hanged state to up
*Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/14, changed state to up
*Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/20, changed state to up
*Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
ernet0/22, changed state to up
>>>private vlan ports only forward the PRIMARY vlan via STP
SW1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22
102 isolated
SW1#show spanning-tree int g0/1
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0100 Desg FWD 19 128.1 P2p
SW1#show spanning-tree int g0/14
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0100 Desg FWD 19 128.14 P2p
SW1#
However....If you want to extend a privary vlan over a trunk port YOU MUST also
allow the secondary vlan on the trunk
You can extend private VLANs across multiple devices by trunking the primary, is
olated, and community VLANs to other devices that support private VLANs. To main
tain the security of your private-VLAN configuration and to avoid other use of t
he VLANs configured as private VLANs, configure private VLANs on all intermediat
e devices, including devices that have no private-VLAN ports.
>>>You CAN remove a secondary vlan that is associated with a PRIMARY vlan withou
t error
SW2#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 community
<<<<associated
100 102 isolated Fa0/13, Fa0/20, Fa0/22
SW2#
SW2#
SW2#
SW2#config term
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#no vl
SW2(config)#no vlan 101
SW2(config)#^Z
SW2#config term
*Mar 2 00:43:32.959: %SYS-5-CONFIG_I: Configured from console by console (CIERS
WB-LAB01, SJ?
terminal
SW2#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 102 isolated Fa0/13, Fa0/20, Fa0/22
It took!
>>>Only one ISOLATED vlan per primary vlan!
>first an existing mapping where we try and change the secondary vlan type
SW1(config-vlan)#private-vlan isolated
%Command rejected: invalid private vlan type assignment. Isolated VLAN 101 is al
ready associated with primary VLAN 100.
>second a fresh mapping
vlan 100
private-vlan primary
end
SW1(config-vlan)#private-vlan association 101,102
SW1(config-vlan)#
*Mar 2 01:08:05.613: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c
hanged state to up
SW1(config-vlan)#
This looks like it took but not so fast....
*Mar 2 01:08:11.955: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100,
Secondary 101
vlan 100
private-vlan primary
private-vlan association 101
end
we see 102 was left in the dust
!
vlan 101
private-vlan isolated
end
SW1#sh run vlan 102
Building configuration...
Current configuration:
!
vlan 102
private-vlan isolated
This could be made for some good tshooting!
!
interface GigabitEthernet0/1
switchport private-vlan mapping 100 101-102 <<<<<102 is configured on this po
rt
switchport mode private-vlan promiscuous
spanning-tree portfast
end
SW1#
SW1#
SW1#
SW1#show pri
SW1#show vl
SW1#show vlan pri
SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22
102 isolated <<<nothing s
hows here
SW1#sh run vlan 100
Building configuration...
Current configuration:
!
vlan 100
private-vlan primary
private-vlan association 101
end
SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22
100 102 community Gi0/1 <<<this is healthy
Doc cd verbiage:
A primary VLAN can have one isolated VLAN and multiple community VLANs associate
d with it. An isolated or community VLAN can have only one primary VLAN associat
ed with it.
Although a private VLAN contains more than one VLAN, only one Spanning Tree Prot
ocol (STP) instance runs for the entire private VLAN. When a secondary VLAN is a
ssociated with the primary VLAN, the STP parameters of the primary VLAN are prop
agated to the secondary VLAN.
However:
In my topology I have achieved two isolated vlans, but accross two switches
R1 > SW1 >SW2
Sw1 has 102 configured as a community vlan because 101 is an isolated vlan
SW2 only has 102, and it is configured as isolated vlan

Anda mungkin juga menyukai