Specifications
CHAPTER 7
Campus Network Security
Private VLANs
Private VLANs (PVLAN) enable large companies or service providers to isolate users into separate multiaccess domains.
Using a VLAN for each group is not scalable. For instance, the switch’s maximum VLANs would limit the number of
customers an ISP can have. Each VLAN requires a separate IP subnet, which could also be a limiting factor.
PVLANs divide a VLAN into secondary VLANs, letting you isolate a set of ports from other ports within the same
VLAN. There are two types of secondary VLANs:
n Community VLANs: Ports can communicate with other ports in the same community VLAN.
n Isolated VLANs: Ports cannot communicate with each other.
Ports within a private VLAN can be one of three types:
n Community: Communicates with other community ports and with promiscuous ports
n Isolated: Communicates only with promiscuous ports
n Promiscuous: Communicates with all ports
Table 7-3 shows the commands to configure a primary private VLAN, secondary PVLANs, and their associated ports.
Table 7-3 Configuring Private VLANs
Command Description
vlan vlan-id Enters VLAN configuration mode.
private-vlan {community | Configures the VLAN as a private VLAN and specifies the type. Repeat this
isolated | primary} command to configure all primary and secondary VLANs.
vlan primary-vlan-id Enters configuration mode for the primary VLAN.
[ 86 ]
© 2010 Pearson Education, Inc. All rights reserved. This publication is protected by copyright. Please see page 112 for more details.
CCNP SWITCH 642-813 Quick Reference by Denise Donohue
9781587140112.qxd 11/23/09 11:35 AM Page 86
www.CareerCert.info