[c-nsp] Private VLAN

Ibrahim Abo Zaid ibrahim.abozaid at gmail.com
Mon Apr 21 10:51:50 EDT 2008 

Hi All


below is a template of the configuration can be used in this solution

Configuration guidances
vlan 100 - primary VLAN
secodary VLAN range say from 200 - 210 - 220 and so

1- set VTP mode to transparent mode
vtp mode transparent

2- create primary VLAN
vlan 100
private-vlan primary

3- configure as many community VLANs as the hosts number

vlan 200
private-vlan community

vlan 210
private-vlan community

4-secondary VLAN association with primary VLAN

vlan 100
private-vlan association 200 (start community vlan) - xxx (end community
vlan)


5- mapping community VLAN to primary VLAN SVI so all hosts can use the same
gateway

interface vlan 100
private-vlan mapping add 200-xxx (end community vlan)

6- interfaces configuration

a- primary vlan configuration

int fa or giga x/x
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200-xxx add

b- associating host ports to community vlans (for community vlan 200) --> no
more than single interface should be placed in each commuinty VLAN

int fa x/x or giga x/x
switchport mode private-vlan host
switchport private-vlan host-association 100 200

for any more details about this template , kindly feed me back


best regards
--Abo Zaid


On 4/21/08, Pedro Matusse <pmatusse at tdm.mz> wrote:
>
> Thanks
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ibrahim Abo Zaid
> Sent: Monday, April 21, 2008 4:13 PM
> To: Manaf Oqlah
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Private VLAN
>
> Hi Manaf and Pedro
>
> currenly i am preparing the configuration and will feed you shortly
>
>
> best regards
> --Abo Zaid
>
>
>
> On 4/21/08, Manaf Oqlah <manafo at gmail.com> wrote:
> >
> > would you please send me the configuration in brief
> >
> > thank you
> >
> > On Mon, Apr 21, 2008 at 5:03 PM, Ibrahim Abo Zaid <
> > ibrahim.abozaid at gmail.com> wrote:
> >
> > > if the number of hosts is great , assigning a pair of private primary
> > > and isolated vlan to each host will be unscalable at all
> > >
> > > so it would be better to configure single primary VLAN serves a group
> > > of community VLANs (each for each host) and not more than 1 host is
> placed
> > > in each community VLAN . otherwise if you can group some hosts with
> matched
> > > communications requirements into a single community VLAN , it would be
> > > better
> > >
> > > i think this is the most feasible solution from my opinion , do you
> need
> > > the configuration of this setup?
> > >
> > > best regards
> > > --Abo Zaid
> > >
> > > On 4/21/08, Manaf Oqlah <manafo at gmail.com> wrote:
> > > >
> > > > Hi Abo Zaid,
> > > >
> > > > I will choose option 2 because i want to separate hosts on layer 2
> for
> > > > multiple VLANs but at the same time they should have the same
> network
> and
> > > > same gateway if it is possible.
> > > > it would be great if you can advice me with another scenario.
> > > >
> > > > Regards,
> > > > Manaf
> > > >
> > > > On Mon, Apr 21, 2008 at 4:37 PM, Ibrahim Abo Zaid <
> > > > ibrahim.abozaid at gmail.com> wrote:
> > > >
> > > > >
> > > > > Hi Manaf
> > > > >
> > > > >
> > > > > as you know primary VLAN can have one isolated VLAN only but have
> > > > > multiple community VLANs , so we have 2 options here
> > > > >
> > > > > 1- make VLANs 200 and 300 isolated VLANs and create other primary
> > > > > VLAN say 110 so VLAN 200 has VLAN 100 as primary VLAN and VLAN 300
> has VLAN
> > > > > 110 as primary
> > > > >
> > > > > 2- make either VLAN 200 or 300 isolated and the other community
> and
> > > > > both have the VLAN 100 as primary VLAN
> > > > >
> > > > > which one you will choose
> > > > >
> > > > >
> > > > > best regards
> > > > > --Abo Zaid
> > > > >
> > > > > On 4/21/08, Manaf Oqlah <manafo at gmail.com> wrote:
> > > > > >
> > > > > > yes they are on the same switch
> > > > > >
> > > > > > thanks a lot
> > > > > >
> > > > > > On Mon, Apr 21, 2008 at 3:54 PM, Ibrahim Abo Zaid <
> > > > > > ibrahim.abozaid at gmail.com> wrote:
> > > > > >
> > > > > > > Dear Manaf
> > > > > > >
> > > > > > >
> > > > > > > i assume all VLANs on the same switch , i will prepare a
> > > > > > > configuration template and send it shortly
> > > > > > >
> > > > > > >
> > > > > > > best luck :)
> > > > > > >
> > > > > > >
> > > > > > > Abo Zaid
> > > > > > >
> > > > > > >
> > > > > > > On 4/21/08, Manaf Oqlah <manafo at gmail.com> wrote:
> > > > > > > >
> > > > > > > > thank u Abo Zaid for the reply.
> > > > > > > >
> > > > > > > > what i want to do is to isolate vlans on L2 which they are
> > > > > > > > sharing the same primary VLAN, and at the same time, the
> hosts
> on these
> > > > > > > > isolated vlans can reach L3 ip address of the primary VLAN.
> > > > > > > >
> > > > > > > > it is like this
> > > > > > > >
> > > > > > > >              interface VLAN100
> > > > > > > >                          |
> > > > > > > > -------------VLAN100 (Primary)----------------
> > > > > > > >                          |
> > > > > > > > ---------------------------------------------------------
> > > > > > > >          |                                  |
> > > > > > > > VLAN200 (isolated)     VLAN300 (isolated)
> > > > > > > >
> > > > > > > >
> > > > > > > > On Mon, Apr 21, 2008 at 2:58 PM, Ibrahim Abo Zaid <
> > > > > > > > ibrahim.abozaid at gmail.com> wrote:
> > > > > > > >
> > > > > > > > > Hi Manaf
> > > > > > > > >
> > > > > > > > > what do u mean reach global vlan at L3 ? private VLAN
> > > > > > > > > provides L2 isolation and L3 should be transparent i mean
> you can keep hosts
> > > > > > > > > ip planning and routing policy should match with the L2
> topolgy after
> > > > > > > > > configuring private VLANs  .
> > > > > > > > >
> > > > > > > > > if you added more info about your problem or solution ,
> it'd
> > > > > > > > > be better
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > best regards
> > > > > > > > > --Abo Zaid
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >  On 4/21/08, Manaf Oqlah <manafo at gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > > I want to segregate traffic between some VLANs at layer
> 2
> > > > > > > > > > using private but
> > > > > > > > > > still can reach the global vlan at layer 3.
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > > > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > > > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>

More information about the cisco-nsp mailing list