Non-public VLANs present Layer 2 isolation between ports throughout the similar non-public VLAN. Non-public-VLAN ports are entry ports which are certainly one of these varieties:
- Promiscuous— A promiscuous port belongs to the first VLAN and may talk with all interfaces, together with the neighborhood and remoted host ports that belong to the secondary VLANs related to the first VLAN.
- Remoted—An remoted port is a bunch port that belongs to an remoted secondary VLAN. It has full Layer 2 separation from different ports throughout the similar non-public VLAN, apart from the promiscuous ports. Non-public VLANs block all visitors to remoted ports besides visitors from promiscuous ports. Visitors obtained from an remoted port is forwarded solely to promiscuous ports.
- Neighborhood—A neighborhood port is a bunch port that belongs to a neighborhood secondary VLAN. Neighborhood ports talk with different ports in the identical neighborhood VLAN and with promiscuous ports. These interfaces are remoted at Layer 2 from all different interfaces in different communities and from remoted ports inside their non-public VLAN.
Configuration Situation
Beneath is a configuration state of affairs which can assist perceive the idea of Non-public VLAN and the best way to carry out configuration of the identical –
Router is Linked on interface Fa0/1 of catalyst Swap and we now have totally different servers i.e. Webservers 1,2 (Fa0/2,Fa0/3) and Mail servers 1,2 (Fa0/4,Fa0/5) which have totally different communication necessities. From the above diagram , the Non-public VLAN association is described as under –
- VLAN 100 is the first VLAN. Router ought to be linked to port Fa0/1 in promiscuous mode.
- VLAN 101 is the neighborhood ports. Interface Fa0/2 and Fa0/3 will likely be for Webserver 1 and Webserver 2 respectively and a part of neighborhood VLAN since they will talk to one another along with Router.
- VLAN 102 is the remoted ports. Interface Fa0/4 and Fa0/5 will likely be for Mail server 1 and Mail server 2 respectively and a part of remoted VLAN since they will solely talk to Router and may’t speak to one another.
Non-public VLAN Configuration
The configuration is carried out as under –
Step 1
Right here the non-public VLANs are configured underneath respective major and secondary class.
Vlan 100
private-vlan major
!
vlan 101
private-vlan neighborhood
!
vlan 102
private-vlan remoted
!
vlan 100
private-vlan affiliation 101,102
Step 2
On this part , the Non-public VLAN affiliation is carried out with respective interface.
interface Fa0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
interface Fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 100 101
!
Interface Fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 100 102
!
interface Fa0/5
switchport mode private-vlan host
switchport private-vlan host-association 100 102
!
interface Fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 add 101,102
Step 3
As soon as the configuration is carried out, we validate the configuration with under instructions –
——- ——— —————– ———————
100 101 neighborhood Fa0/1, Fa0/2, Fa0/3
100 102 remoted Fa0/1, Fa0/4, Fa0/5
SWITCH#sh vlan private-vlan typeVlan Sort
—- —————–
100 major
101 neighborhood
102 remoted
We noticed that router’s port is in each the neighborhood and remoted VLANs and in a position to talk to every finish host.
We have now full communication between the Webservers , whereas the 2 Mail servers can solely talk with the router.
Proceed Studying:
