The secondary VLAN configuration on an IP Interface provides the ability to associate multiple L2 VLANs with one L3 IP interface. The secondary VLAN feature provides for the configuration of private VLANs by configuring ports on the secondary VLAN as private members. A secondary VLAN port can be configured as a private VLAN member by restricting the ports they can egress to using the set vlan egress command. Members of the private VLAN are connected hosts that share the IP interface of the primary VLAN, while at the same time are restricted from directly communicating with each other. Hosts on the primary VLAN, also referred to as the community VLAN, can communicate directly with hosts on both the primary and private VLANs.
When configuring members of the private VLAN, set both the secondary and primary VLAN constraint to shared, using the same constraint set ID. This setting assures that both the primary and secondary VLAN use the same FID. VLAN constraint is set using the set vlan constraint command.
Set ports on the primary VLAN as members of the egress list for all ports on both the primary and secondary VLANs. Set private member ports on the secondary VLAN as members of the egress list for all members of the primary VLAN. Use the set vlan egress command to set ports as members of a VLAN‘s egress list.
The secondary VLAN is not configured as an independent routing interface; it is configured within the primary VLAN. Only set an IP address for the primary VLAN interface. Do not set an IP address for the secondary VLAN.
VLAN Configuration for VLAN configuration details.
This feature could be used by an internet service provider network where clients should not be directly communicating with other clients on the same network unless permitted to do so. These restricted clients would be assigned to the secondary VLAN.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB