Cisco Private vLAN

PC1

no ip routing
int e0/0
no shut
ip add 192.168.0.1 255.255.255.0

PC2

no ip routing
int e0/0
no shut
ip add 192.168.0.2 255.255.255.0

PC3

no ip routing
int e0/0
no shut
ip add 192.168.0.3 255.255.255.0

PC4

no ip routing
int e0/0
no shut
ip add 192.168.0.4 255.255.255.0

Server1

no ip routing
int e0/0
no shut
ip add 192.168.0.254 255.255.255.0

Private vLan首先要注意的是必須更改VTP, 不清楚的就要先了解啦

SW1

vtp mode transparent

vlan 500
private-vlan primary
private-vlan association 501-502

vlan 501
private-vlan community

vlan 502
private-vlan isolated

interface range g0/0-1
switchport mode private-vlan host
switchport private-vlan host-association 500 501

interface range g0/2-3
switchport mode private-vlan host
switchport private-vlan host-association 500 502

interface g1/0
switchport mode private-vlan promiscuous
switchport private-vlan mapping 500 501-502

由於PC1和PC2在community vLan 501, 所以可以互通, 另外還可以連通在promiscuous的Server1

結果和PC1一樣

PC3和PC4在isolated vLan 502, 所以不能連接, 包括PC1和PC2, 但是可以連通在promiscuous的Server1

結果和PC3一樣

Server1在promiscuous的vLan 500, 所以可以全部PC互通

useful command

show interfaces fastEthernet 0/1 switchport
show interface fa0/24 switchport
show vlan private-vlan
show vlan private-vlan type

發佈留言

*