System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF

Cisco Cat3K ST 6 June 2012

TOE SFRs How the SFR is Met

upstream from the hosts toward the promiscuous ports and the gateway.

• Community VLAN—A community VLAN is a secondary VLAN that

carries upstream traffic from the community ports to the promiscuous

port gateways and to other host ports in the same community. Multiple

community VLANs can be configured in a PVLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN,

and multiple community VLANs.

PVLANs can be used to control access to end stations in these ways:

• Configure selected interfaces connected to end stations as isolated ports

to prevent any communication at Layer 2. For example, if the end

stations are servers, this configuration prevents Layer 2 communication

between the servers.

• Configure interfaces connected to default gateways and selected end

stations (for example, backup servers) as promiscuous ports to allow all

end stations access to a default gateway.

• Extend PVLANs across multiple devices by trunking

the primary,

isolated, and community VLANs to other devices that support

PVLANs. To maintain the security of the PVLAN configuration and to

avoid other use of the VLANs configured as PVLANs, configure

PVLANs on all intermediate devices, including devices that have no

PVLAN ports.

The following is an example showing how to configure and associating VLANS

in a PVLAN. Begin in the privileged EXEC mode and follow the steps below.

Note, the private-vlan commands do not take effect until the VLAN

configuration mode is exited.

Command Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

vtp mode

transparent

Set VTP mode to transparent (disable

VTP).

Step 3

vlan vlan-id Enter VLAN configuration mode and

designate or create a VLAN that will be

the primary VLAN. The VLAN ID range

is 2 to 1001 and 1006 to 4094.

Step 4

private-vlan

Designate the VLAN as the primary

Use of VLAN trunking (within the constraints described in section 1.8, "Excluded Functionality") is permitted in the

evaluated configuration, and does not interfere with the TOE's inspection of VLAN tag information in frame headers,

and proper forwarding or blocking based on that header inspection.