PVLAN Configuration Example 2

The following figure shows a PVLAN configuration example for a motel.

expand icon
PVLAN Configuration Example 2
../Graphics/EX_vlan_0060.svg

The motel example in the following figure has guest rooms, a conference room, and their web proxy server on the first floor, and guest rooms on the second floor. The motel has three Summit switches. There is one on the first floor in a closet, one on the first floor in the conference room, and one on the second floor.

The PVLAN in the following figure contains the following PVLAN components:
  • A VLAN called Main that contains the web proxy server.

  • A VLAN called ConfRoom that contains the ports for the conference room connections.

  • A VLAN called ClientConnections that contains client PC connections for the guest rooms.

The goals for the motel network are as follows:
  • Provide internet access for the ConfRoom and ClientConnections VLANs through the web proxy server.

  • Prevent communications between the ConfRoom and ClientConnections VLANs.

  • Enable communications between clients on the ClientConnections VLAN only within the conference room.

  • Enable communications between devices on the ConfRoom VLAN.

  • Prevent communications between the PCs in the ClientConnections VLAN that are not in the conference room.

Notice the following in the above figure:
  • The Summit switches in the first floor closet and on the second floor contain the Main VLAN with a tag of 100. This VLAN is connected via a tagged port between the first and second floor switches.

  • The Summit in the conference room does not contain the Main VLAN and cannot be a PVLAN member.

  • All of the switches have the ClientConnections VLAN, and it uses VLAN tag 200.

  • All of the switches have the ConfRoom VLAN, and it uses VLAN tag 300.

  • The Conference Room Summit connects to the rest of the network through a tagged connection to the Summit in the first floor closet.

  • Because the Summit in the first floor closet is a PVLAN member and uses the same port to support two subscriber VLANs, a loopback port is required in all subscriber VLANs, except the first configured subscriber VLAN (this applies to all switches and Summit family switches).
    Note

    Note

    The following examples contain comments that follow the CLI comment character (#). All text that follows this character is ignored by the switch and can be omitted from the switch configuration.

The following commands configure the Summit in the first floor closet:

# Create and configure the VLANs.
create vlan Main
configure vlan Main add port 1
configure vlan Main tag 100
configure vlan Main add port 2 tagged
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 5-19
configure vlan ClientConnections add port 20 tagged
create vlan ConfRoom
configure vlan ConfRoom tag 300
configure vlan ConfRoom add port 21-30
configure vlan ConfRoom add port 20 tagged
# Create and configure the PVLAN named Motel.
create private-vlan Motel
configure private-vlan Motel add network Main
configure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLAN
configure private-vlan "Motel" add subscriber "ConfRoom" non-isolated loopback-port 30
configure private-vlan Motel add subscriber ConfRoom non-isolated
# If you omit the loopback-port command, the above command produces the following error message:
# Cannot add subscriber because another subscriber vlan is already present on the same port, assign a loopback port when adding the subscriber vlan to the private vlan
# show vlan "ConfRoom"
VLAN Interface with name ConfRoom created by user
Admin State:    Enabled         Tagging:        802.1Q Tag 300
Virtual router: VR-Default
IPv6:           None
STPD:           None
Protocol:       Match all unfiltered protocols
Loopback:       Disabled
NetLogin:       Disabled
QosProfile:     None configured
Egress Rate Limit Designated Port: None configured
Private-VLAN Name:              Motel
VLAN Type in Private-VLAN:      Non-Isolated Subscriber
Ports:   13.      (Number of active ports=1)
Untag:      21,     22,     23,     24,     25,     26,     27,
28,     29
Tag:        1s,     2s,     20,   *30L
Flags:    (*) Active, (!) Disabled, (g) Load Sharing port
(b) Port blocked on the vlan, (m) Mac-Based port
(a) Egress traffic allowed for NetLogin
(u) Egress traffic unallowed for NetLogin
(t) Translate VLAN tag for Private-VLAN
(s) Private-VLAN System Port, (L) Loopback port
(x) VMAN Tag Translated port
(G) Multi-switch LAG Group port
# Note that the loopback port is flagged with an "L" and listed as a tagged port, and the network VLAN ports are flagged with an "s" and listed as tagged ports.

The following commands configure the Summit on the second floor:

# create and configure the VLANs
create vlan Main
configure vlan Main tag 100
configure vlan Main add port 2 tagged
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 5-20
create vlan ConfRoom
configure vlan ConfRoom tag 300
# Create and configure the PVLAN named Motel.
create private-vlan Motel
configure private-vlan Motel add network Main
configure private-vlan Motel add subscriber ClientConnections # isolated subscriber VLAN
configure private-vlan Motel add subscriber ConfRoom non-isolated

The following commands configure the Summit in the conference room:

# create and configure the VLANs
create vlan ClientConnections
configure vlan ClientConnections tag 200
configure vlan ClientConnections add port 1-19
configure vlan ClientConnections add port 20 tag
create vlan ConfRoom
configure vlan ConfRoom tag 300
configure vlan ConfRoom add port 21-30
configure vlan ConfRoom add port 20 tag
# The VLANs operate as extensions of the VLANs on the Summit in the first floor closet. There is no PVLAN configuration on this switch.