取消
显示结果 
搜索替代 
您的意思是: 
cancel
3834
查看次数
38
有帮助
2
评论
Ethan
Cisco Employee
Cisco Employee
原文档:
https://majornetwork.net/2012/06/private-vlans-on-nexus-5000-series/
关于Pvlan的相关信息:

    具体PVLAN的模式:
    主要VLAN(Primary VLAN):主VLAN承载从混杂端口到主机端口的流量,包括隔离和community,以及其他混杂端口。
    辅助VLAN(Secondary VLAN):辅助VLAN包含两种VLAN类型:
    隔离VLAN(Isolated VLAN):把流量从隔离端口传送到一个混杂端口。隔离VLAN中的端口,使其不能与PVLAN (另一个团体VLAN端口或相同隔离VLAN内的端口)内部的任何其它端口进行第2层通信。若要与其它端口通信,则必须穿越混杂端口。
    团体VLAN(Community VLAN):在相同团体VLAN内部的团体端口之间传送流量并传送到混杂端口,团体VLAN内的端口可以在第2层彼此通信(只是在相同团体VLAN内部),但是不能与其它团体或隔离VLAN的端口进行通信。若要与其它端口进行通信,则必须穿越混杂端口。
    PVLAN的端口类型:
    混杂端口(Promiscuous Port):隶属于“Primary VLAN”,一个混杂端口可以与所有接口通信,包括PVLAN内的isolated 和 community 端口,混杂端口可以配置为接入端口或中继端口。混杂端口的功能是在团体和隔离的VLAN端口之间传递流量。
    主机端口(Host Port):隶属于“Secondary VLAN”,由于“Secondary VLAN”具有两种属性,那么主机端口依“Secondary VLAN”属性的不同也有两种分类:
    隔离端口(Isolated Port):它与PVLAN内的所有其它端口相分离,除混杂端口外;但可以与相关的混杂端口进行通信。 除了混杂端口的流量外,PVLAN会阻止所有到隔离端口的流量。 从隔离端口收到的流量只被转发到混杂端口。 您可以在指定的隔离VLAN中拥有多个隔离端口。 每个端口都与隔 离VLAN中的所有其他端口完全隔离。
    团体端口(Community Port):community 端口属于 community secondary vlan 的主机端口,community 端口可以与同一个community vlan 内的其他进行通讯,它在逻辑上把相同区community内部的各个端口和混杂端口结合到一起,流量可以在它们之间传送。
    具体Private vlan 的流量示意:
    160729jzjchtrrw9l4prv4.gif
    在Nexus 5k下挂 N2k的时候
    A host on an isolated VLAN can communicate only with the associated promiscuous port in its primary VLAN. Hosts on community VLAN can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.
    In a PVLAN domain, isolated trunks are part of a secondary VLAN. Isolated trunk ports can carry multiple isolated VLANs. Configuring an isolated trunk port involves two steps. First, you define the port as an isolated trunk port and then you configure the association between the isolated and primary VLANs. Multiple isolated VLANs can be enabled by configuring multiple associations.
    Isolated trunk可以承载多个isolated vlan的流量,但是并不是让多个isolated vlan 能够直接通讯。
    在执行配置的时候您需要注意:
    When configuring PVLANs, follow these guidelines:
    ・ You must create a VLAN before you can assign the specified VLAN as a private VLAN.
    ・ You must enable PVLANs before the switch can apply the PVLAN functionality.
    ・ You cannot disable PVLANs if the switch has any operational ports in a PVLAN mode.
    ・ Enter the private-vlan synchronize command from within the Multiple Spanning Tree (MST) region definition to map the secondary VLANs to the same MST instance as the primary VLAN.
    ・ You must disable all the FEX isolated trunk ports before configuring FEX trunk ports.
    ・ The number of mappings on a PVLAN trunk port is limited to 128.
    ・ You cannot connect a second switch to a promiscuous or isolated PVLAN trunk. The promiscuous or isolated PVLAN trunk is supported only on host-switch.
    ・ You cannot configure promiscuous ports and promiscuous trunk ports on the FEX interfaces (HIF) ports.
    ・ If you configure a private-vlan association under a VLAN, but do not configure the private-vlan type as primary, this association will reappear in the running configuration under the same VLAN when the VLAN is deleted and re-created. Note that this earlier association cannot be removed by using the no private-vlan association command. It can be removed only by performing either of the following tasks:
    ・ Disable the PVLAN feature.
    Or
    ・ Configure the private-vlan type as primary, configure the same private-vlan association under that VLAN, and then remove the association using the no private-vlan association command.
    Limitations with Other Features
    Consider the following configuration limitations with other features when configuring private VLANs:

    • IGMP snooping runs only on the primary VLAN and uses the configuration of the primary VLAN for all secondary VLANs.
    Any IGMP snooping join request in the secondary VLAN is treated as if it is received in the primary VLAN.

    官方文档链接:


    Private Vlan domain

    160755qefugvvbbvg859n5.gif

    1 一个Private Vlan 与中只能够有一个 Primary Vlan,在一个Private Vlan 域中的全部端口都是Primary Vlan 的Member,Primary Vlan 是整个Private的Vlan 域;

    2 Secondary Vlan 提供Private Vlan 域中的端口的隔离,关于primary vlan 和secondary vlan包含:
    Isolated Vlan ,在Isolated vlan中的端口无法与其他端口在Layer2中进行通信;
    Community Vlan ,Community Vlan可以与在相同community 内的vlan 之间进行通信,不能与其他community Vlan或者是任何isolated valn 进行通信。

    在Secondary vlan 与 Primary Vlan 关联的时候需要注意:
    When you associate secondary VLANs with a primary VLAN, follow these guidelines:

    • The secondary-vlan-list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs.
    • The secondary-vlan-list parameter can contain multiple community VLAN IDs and one isolated VLAN ID.
    • Enter a secondary-vlan-list or use the add keyword with a secondary-vlan-list to associate secondary VLANs with a primary VLAN.
    • Use the remove keyword with a secondary-vlan-list to clear the association between secondary VLANs and a primary VLAN.
    • You can change the association between a secondary and primary VLAN by removing the existing association, and then adding the desired association.
    If you delete either the primary or secondary VLAN, the VLAN becomes inactive on the port where the association is configured. When you enter the no private-vlancommand, the VLAN returns to the normal VLAN mode. All primary and secondary associations on that VLAN are suspended, but the interfaces remain in PVLAN mode. If you convert the specified VLAN to PVLAN mode again, the original associations are reinstated.
    If you enter the no vlan command for the primary VLAN, all the PVLAN associations with that VLAN are lost. However, if you enter the no vlan command for a secondary VLAN, the PVLAN associations with that VLAN are suspended and are reinstated when you recreate the specified VLAN and configure it as the previous secondary VLAN.

    示例:将community vlan 100到110 以及 isolated vlan 200 与Primary vlan 5 相关联:
    switch# configure terminal
    switch(config)# vlan 5
    switch(config-vlan)# private-vlan association 100-110, 200
    Private VLAN Promiscuous Trunks

    promiscuous trunk port 可以承载多个Primary Vlan 的流量,在Primary Vlan 下的多个Secondary vlan都可以映射到这个端口,在混杂端口上的流量是通过primary 的vlan 标签进行接收和转发。

    Private VLAN Isolated Trunks
    Isolated Trunk 可以为多个isolated Pvlan 承载流量,Community Vlan的流量并不是由Isolated Trunk port 来承载,在Isolated Trunk上的流量是通过 isolated Vlan 的标签进行接收和转发。
    为支持Cisco Nexus Fabric Extender上的隔离PVLAN端口,Cisco Nexus设备必须防止FEX上隔离端口之间的通信; 所有转发通过交换机上执行。

    Private VLAN Port Isolation

    您可以使用PVLAN来控制对终端站的访问,如下所示:

    将连接到终端站的选定接口配置为isolated ports,以防止任何通信。 例如,如果终端站是服务器,则此配置会阻止服务器之间的通信。

    将连接到默认网关的接口和选定的终端工作站(例如备份服务器)配置为promiscuous ports,以允许所有终端工作站访问默认网关。

    配置:
    启用Private Vlan
    switch# configure terminal
    switch(config)# feature private-vlan

    配置Vlan 为Private Vlan







    Command or Action
    Purpose
    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# vlan {vlan-id | vlan-range}

    Enters VLAN configuration submode.

    Step 3
    switch(config-vlan)# private-vlan{community | isolated | primary}

    Configures the VLAN as either a community, isolated, or primary PVLAN. In a PVLAN, you must have one primary VLAN. You can have multiple community and isolated VLANs.

    Step 4
    switch(config-vlan)# no private-vlan{community | isolated | primary}

    (Optional)
    Removes the PVLAN configuration from the specified VLAN(s) and returns it to normal VLAN mode. If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive.


    示例:
    The following example shows how to assign VLAN 5 to a PVLAN as the primary VLAN:
    switch# configure terminal
    switch(config)# vlan 5
    switch(config-vlan)# private-vlan primary
    The following example shows how to assign VLAN 100 to a PVLAN as a community VLAN:
    switch# configure terminal
    switch(config)# vlan 100
    switch(config-vlan)# private-vlan community
    The following example shows how to assign VLAN 200 to a PVLAN as an isolated VLAN:
    switch# configure terminal
    switch(config)# vlan 200
    switch(config-vlan)# private-vlan isolated

    将端口配置为Private Vlan host port
    在PVLAN中,host port 是Secondary VLAN的一部分,Secondary VLAN可以是community VLAN或isolated VLAN。

    配置PVLAN host端口涉及两个步骤。 首先,将端口定义为PVLAN主机端口,然后配置Primary VLAN和Secondary VLAN之间的主机关联。
    We recommend that you enable BPDU Guard on all interfaces configured as a host ports.









    Command or Action
    Purpose
    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type [chassis/]slot/port

    Selects the port to configure as a PVLAN host port. This port can be on a FEX (identified by the chassis option).

    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport mode private-vlan host

    Configures the port as a host port for a PVLAN.

    Step 5
    switch(config-if)# switchport private-vlan host-association{primary-vlan-id} {secondary-vlan-id}

    Associates the port with the primary and secondary VLANs of a PVLAN. The secondary VLAN can be either an isolated or community VLAN.

    Step 6
    switch(config-if)# no switchport private-vlan host-association

    (Optional)
    Removes the PVLAN association from the port.


    示例:
    This example shows how to configure Ethernet port 1/12 as a host port for a PVLAN and associate it to primary VLAN 5 and secondary VLAN 101:
    switch# configure terminal
    switch(config)# interface ethernet 1/12
    switch(config-if)# switchport
    switch(config-if)# switchport mode private-vlan host
    switch(config-if)# switchport private-vlan host-association 5 101

    配置端口为Private Vlan 的混杂端口










    Command or Action
    Purpose
    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type slot/port

    Selects the port to configure as a PVLAN promiscuous port. A base-board interface is required. This port cannot be on a FEX interface (HIF interface).


    Note
    If this is a QSFP+ GEM or a breakout port, the port syntax is QSFP-module/port.


    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport mode private-vlan promiscuous

    Configures the port as a promiscuous port for a PVLAN. You can enable promiscuous ports and promiscuous trunk ports only on base-board ports (base-board ports are the ports on the switch). You cannot configure promiscuous ports on FEX (HIF) ports.


    Note
    If you try to configure promiscuous ports on FEX (HIF) ports, the device will display an error.


    Step 5
    switch(config-if)# switchport private-vlan mapping{primary-vlan-id} {secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list}

    Configures the port as a promiscuous port and associates the specified port with a primary VLAN and a selected list of secondary VLANs. The secondary VLAN can be either an isolated or community VLAN.

    Step 6
    switch(config-if)# no switchport private-vlan mapping

    (Optional)
    Clears the mapping from the PVLAN.


    示例
    The following example shows how to configure Ethernet interface 1/4 as a promiscuous port associated with primary VLAN 5 and secondary VLAN 200:
    switch# configure terminal
    switch(config)# interface ethernet 1/4
    switch(config-if)# switchport
    switch(config-if)# switchport mode private-vlan promiscuous
    switch(config-if)# switchport private-vlan mapping 5 200

    配置 混杂Trunk port
    在PVLAN域中,混杂Trunk port是主VLAN的一部分。 混杂Trunk port口可以承载多个Primary VLAN。 Primary VLAN下的多个辅助VLAN可映射到混杂Trunk prot。









    Command or Action
    Purpose
    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type slot/port

    Selects the port to configure as a PVLAN promiscuous trunk port. A base-board interface is required. This port cannot be on a FEX interface (HIF interface).


    Note
    If this is a QSFP+ GEM or a breakout port, the port syntax is QSFP-module/port.


    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport mode private-vlan trunk promiscuous

    Configures the port as a promiscuous trunk port for a PVLAN. You can enable promiscuous trunk ports only on base-board ports (base-board ports are the ports on the switch). You cannot configure promiscuous trunk ports on FEX (HIF) ports.


    Note
    If you try to configure promiscuous trunk ports on FEX (HIF) ports, the device will display an error.


    Step 5
    switch(config-if)# switchport private-vlan mapping trunk {primary-vlan-id} {secondary-vlan-id}

    Maps the trunk port with the primary and secondary VLANs of a PVLAN. The secondary VLAN can be either an isolated or community VLAN.

    Step 6
    switch(config-if)# no switchport private-vlan mapping trunk [primary-vlan-id]

    (Optional)
    Removes the PVLAN mapping from the port. If the primary-vlan-id is not supplied, all PVLAN mappings are removed from the port.


    The following example shows how to configure Ethernet interface 1/1 as a promiscuous trunk port for a PVLAN and then map the secondary VLANs to the primary VLAN:
    switch# configure terminal
    switch(config)# interface ethernet 1/1
    switch(config-if)# switchport
    switch(config-if)# switchport mode private-vlan trunk promiscuous
    switch(config-if)# switchport private-vlan mapping trunk 5 100
    switch(config-if)# switchport private-vlan mapping trunk 5 200
    switch(config-if)# switchport private-vlan mapping trunk 6 300

    配置Isolated Trunk Port
    Isolated Trunk Port是Secondary vlan 的一部分,Isolated Trunk Port 可以承载多个isolated vlan 的流量。









    Command or Action
    Purpose
    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type [chassis/]slot/port

    Selects the port to configure as a PVLAN isolated trunk port. This port can be on a FEX (identified by the chassis option). The PVLAN isolated trunk port can be configured on a Ethernet port and on a FEX port.


    Note
    If this is a QSFP+ GEM or a breakout port, the port syntax is QSFP-module/port.


    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport mode private-vlan trunk [secondary]

    Configures the port as a secondary trunk port for a PVLAN.


    Note
    The secondary keyword is assumed if it is not present.


    Step 5
    switch(config-if)# switchport private-vlan association trunk {primary-vlan-id} {secondary-vlan-id}

    Associates the isolated trunk port with the primary and secondary VLANs of a PVLAN. The secondary VLAN should be an isolated VLAN. Only one isolated VLAN can be mapped under a given primary VLAN.

    Step 6
    switch(config-if)# no switchport private-vlan association trunk [primary-vlan-id]

    (Optional)
    Removes the PVLAN association from the port. If the primary-vlan-id is not supplied, all PVLAN associations are removed from the port.


    The following example shows how to configure Ethernet interface 1/1 as an isolated trunk port for a PVLAN and then associate the secondary VLANs to the primary VLAN:
    switch# configure terminal
    switch(config)# interface ethernet 1/1
    switch(config-if)# switchport
    switch(config-if)# switchport mode private-vlan trunk secondary
    switch(config-if)# switchport private-vlan association trunk 5 100
    switch(config-if)# switchport private-vlan association trunk 6 200

    配置Pvlan Trunking port 上允许的vlan

    Isolated Trunk 和混杂 trunk prot 可以承载来自常规VLAN以及PVLAN的流量。







    Command or Action
    Purpose

    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type [chassis/]slot/port

    Selects the port to configure as a PVLAN host port. This port can be on a FEX (identified by the chassis option).

    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport private-vlan trunk allowed vlan{vlan-list | all | none [add | except | none | remove {vlan-list}]}

    Sets the allowed VLANs for the private trunk interface. The default is to allow only mapped/associated VLANs on the PVLAN trunk interface.


    Note
    The primary VLANs do not need to be explicitly added to the allowed VLAN list. They are added automatically once there is a mapping between primary and secondary VLANs.



    The following example shows how to add VLANs to the list of allowed VLANs on an Ethernet PVLAN trunk port:
    switch# configure terminal
    switch(config)# interface ethernet 1/3
    switch(config-if)# switchport
    switch(config-if)# switchport private-vlan trunk allowed vlan 15-20
    Configuring Native 802.1Q VLANs on Private VLANs

    Typically, you configure 802.1Q trunks with a native VLAN ID, which strips tagging from all packets on that VLAN. This configuration allows untagged traffic and control traffic to transit the . Secondary VLANs cannot be configured with a native VLAN ID on promiscuous trunk ports. Primary VLANs cannot be configured with a native VLAN ID on isolated trunk ports.








    Command or Action
    Purpose

    Step 1
    switch# configure terminal
    Enters global configuration mode.

    Step 2
    switch(config)# interface type [chassis/]slot/port

    Selects the port to configure as a PVLAN host port. This port can be on a FEX (identified by the chassis option).

    Step 3
    switch(config-if)# switchport

    Configures the interface as a Layer 2 interface and deletes any configuration specific to Layer 3 on this interface.

    Step 4
    switch(config-if)# switchport private-vlan trunk native{vlan vlan-id}

    Sets the native VLAN ID for the PVLAN trunk. The default is VLAN 1.

    Step 5
    switch(config-if)# no switchport private-vlan trunk native{vlan vlan-id}

    (Optional)
    Removes the native VLAN ID from the PVLAN trunk.



评论
fortune
VIP Alumni
VIP Alumni
谢谢分享,学习了!
fortune
VIP Alumni
VIP Alumni
谢谢分享,学习了!
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接