6 configuring private vlans – PLANET SGSD-1022 User Manual

User’s Manual of SGSD-1022 / SGSD-1022P

SGSW-2840 / SGSW-2840P

5.21.6 Configuring Private VLANs

Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two

types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs. A primary VLAN contains

promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community)

VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the

promiscuous ports in the associated primary VLAN. Isolated VLANs, on the other hand, consist a single stand-alone VLAN that

contains one promiscuous port and one or more isolated (or host) ports. In all cases, the promiscuous ports are designed to

provide open access to an external network such as the Internet, while the community or isolated ports provide restricted

access to local users.

Multiple primary VLANs can be configured on this switch, and multiple community VLANs can be associated with each primary

VLAN. One or more isolated VLANs can also be configured. (Note that private VLANs and normal VLANs can exist

simultaneously within the same switch.)

This section describes commands used to configure private VLANs.

Command

Function

Mode

Edit Private VLAN Groups

private-vlan

Adds or deletes primary, community, or isolated VLANs

VC

private-vlan association

Associates a community VLAN with a primary VLAN

VC

Configure Private VLAN Interfaces

switchport modeprivate-vlan

Sets an interface to host mode or promiscuous mode

IC

switchport private-vlan

host-association

Associates an interface with a secondary VLAN

IC

switchport private-vlan isolated Associates an interface with an isolated VLAN

IC

switchport private-vlan mapping Maps an interface to a primary VLAN

IC

Display Private VLAN Information

show private-vlan

Shows private VLAN information

NE, PE

Table 5-72 Private VLAN Commands

To configure primary/secondary associated groups, follow these steps:

1. Use

the

private-vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic

outside of the community groups.

2. Use

the

private-vlan association command to map the community VLAN(s) to the primary VLAN.

3. Use

the

switchport mode private-vlan command to configure ports as promiscuous (i.e., having access to all ports in the

primary VLAN) or host (i.e., community port).

4. Use

the switchport private-vlan host-association command to assign a port to a secondary VLAN.

5. Use

the

switchport private-vlan mapping command to assign a port to a primary VLAN.

6. Use

the

show private-vlan command to verify your configuration settings.

585