Figure 1. PVLAN Configuration Example
As shown in Figure 1, in an enterprise network, all employees have the access authorization to the enterprise server. However, it is desirable that some employees within the enterprise can communicate with each other, while some employees are isolated from each other.
In order to achieve this, PVLAN feature can be deployed on the switch that connects the terminal and enterprise server. PVLAN not only meets the network isolation demands, but also addresses the problem of VLAN ID shortage, and is easy to maintain by the network administrator.
Complete the following configurations on the Switch:
- To isolate the communication between Host A and Host B, configure the VLAN of Host A and Host B (VLAN 2) as the Isolated VLAN; To make sure Host C and Host D can communicate with each other, configure the VLAN of Host C and Host D (VLAN 3) as the Community VLAN.
- Configure the VLAN of the server as the Primary VLAN.
- The access ports of Host A, Host B, Host C, and Host D are configured as the PVLAN host ports.
- Add the access ports of Host A and Host B (ge-1/1/1 and ge-1/1/2) into Isolated VLAN. Add the access ports of Host C and Host D (ge-1/1/3 and ge-1/1/4) to the Community VLAN.
- The port connected to the server is configured as promiscuous port and is added into the primary VLAN (VLAN 5).
Step1 Create the secondary VLANs.
Step2 Create the primary VLAN.
Step3 Associate the secondary VLAN to the primary VLAN.
Step4 Configure the ports connected to the hosts as the PVLAN host ports.
Step5 Configure the port connected to the Server as the promiscuous port.
Step6 Add the host ports into the secondary VLAN and set the native VLAN of the host port as the secondary VLAN ID.
Step7 Add the promiscuous port into the primary VLAN and set the native VLAN of the promiscuous port as the primary VLAN ID.
Step8 Commit the configurations.
Verify the Configuration
- You can use the run show vlans private-vlan command to view the PVLAN configuration information.
- You can use the run show vlans private-vlan type command to view the PVLAN type information.
- Check device connection status.
The Server, Host A, Host B, Host C and Host D are on the same subnet.
Host A, Host B, Host C and Host D can communicate with the Server.
Host A and Host B cannot communicate with each other at Layer 2.
Host C and Host D can communicate with each other at Layer 2.
Host A and Host B cannot communicate with Host C and Host D at Layer 2.