PVLAN Configuration Example 1

The following figure shows a PVLAN configuration example for a medical research lab.

expand icon
PVLAN Configuration Example 1

../Graphics/EX_vlan_0003.svg

The medical research lab hosts lots of visiting clients. Each client has their own room, and the lab wants to grant them access to the internet through a local web proxy server but prevent them from accessing other visiting clients. There is a lab in the building where many research workstations are located. Workstations within the lab require access to other lab workstations, the internet, and file servers that are connected to a switch in another building. Visiting clients should not have access to the Research VLAN devices or the file servers on the remote switch.

The PVLAN in the following figure contains the following PVLAN components:
  • Network VLAN named Main, which provides internet access through the proxy web server and access to file servers on the remote switch.

  • Isolated subscriber VLAN named ClientConnections, which provides internet access for visiting clients and isolation from other visiting clients, the Research VLAN devices, and the remote file servers.

  • Non-isolated subscriber VLAN named Research, which provides internet access and enables communications between Research VLAN devices and the remote file servers.

  1. The first configuration step is to create and configure the VLANs on the local switch:
    create vlan Main
    configure vlan Main add port 1:*
    configure vlan Main tag 100
    create vlan ClientConnections
    configure vlan ClientConnections add port 2:*
    configure vlan ClientConnections tag 200
    create vlan Research
    configure vlan Research add port 3:*
    configure vlan Research tag 300
    
  2. The remote switch VLAN is configured as follows:
    create vlan Main
    configure vlan Main add port 1:*
    configure vlan Main tag 100
    
  3. The next step is to create the PVLAN on the local switch and configure each of the component VLANs for the proper role:
    create private-vlan MedPrivate
    configure private-vlan "MedPrivate" add network "Main"
    configure private-vlan "MedPrivate" add subscriber "ClientConnections"
    configure private-vlan "MedPrivate" add subscriber "Research" non-isolated
    
  4. The final step is to configure VLAN translation on the local switch so that Research VLAN workstations can connect to the file servers on the remote switch:
    configure Main add ports 1:1 private-vlan translated
    
  5. To view the completed configuration, enter the show private-vlan command as follows:
    show private-vlan
    --------------------------------------------------------------------------------------
    Name            VID  Protocol Addr        Flags                Proto  Ports  Virtual
    Active router
    /Total
    --------------------------------------------------------------------------------------
    MedPrivate                                                                  VR-Default
    Network VLAN:
    -main          100  -------------------------------------    ANY    2 /48  VR-Default
    Non-Isolated Subscriber VLAN:
    -Research      300  -------------------------------------    ANY    2 /96  VR-Default
    Isolated Subscriber VLAN:
    -ClientConnections 200  ---------------------------------    ANY    2 /52  VR-Default