PRIVATE VLANS&VLAN CONFIGURATIONEXAMPLESPrivate VLANs is a method to segment devices at layer 2 that are in the same IPnet...
Primary VLAN – The VLAN that is used for receiving traffic from the device connectedto the promiscous port.Community VLAN ...
packet is always source with the VID from the secondary VLAN. The router receivesthe traffic and if no filtering is done i...
Show vlan private-vlan will show what has been configured.SW1#show vlan private-vlanPrimary Secondary Type           Ports...
Operational Mode: private-vlan promiscuousAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulati...
Reply to request 0 from 100.0.0.1, 4 msWorking as expected. R6 should only be able to ping R1 since it is in an isolatedVL...
!interface Vlan100 ip address 100.0.0.7 255.255.255.0 private-vlan mapping 1000endStill no success, why?SW1#conf tEnter co...
Upcoming SlideShare
Loading in …5
×

Private vlans & vlan configuration examples

3,842 views

Published on

Private vlans & vlan configuration examples

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,842
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
133
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Private vlans & vlan configuration examples

  1. 1. PRIVATE VLANS&VLAN CONFIGURATIONEXAMPLESPrivate VLANs is a method to segment devices at layer 2 that are in the same IPnetwork. Different VLANs are used but they share a common IP network.The most common scenario for a private VLAN is a residential network wherecustomersconnect to a switch provisioned by the ISP and the ISP wants to provisiononly onesubnet but the customers should not be able to reach each other at layer 2.The reason to disallow layer two intercommunication is for security, to preventsomeonefrom interfering or eavesdropping on another customer’s traffic. Anotherscenario couldbe a hosting environment where servers are connected to a switch anda common VLANis used instead of provisioning one VLAN for every new customer.Take a look at this picture.PC’s in the grey VLAN can only communicate with each other and the router. Thesame goes for the PC’s in the green VLAN. PC’s in the blue VLAN can ONLYcommunicate with the router not with each other. The picture shows only one PC butif there was another PC it would not be able to communicate with the other PC in thesame VLAN.Let’s look at some of the building blocks of private VLANs.Types of VLAN:http://blog.router-switch.com/
  2. 2. Primary VLAN – The VLAN that is used for receiving traffic from the device connectedto the promiscous port.Community VLAN – Everybody that is located in a community VLAN maycommunicate with others in the samecommunity VLAN and with the primary VLAN but not with other VLANs.Isolated VLAN – Can only reach the device on the promiscuous port, cannot reachany other devices.Types of ports:Promiscuous port – A port that is connected to the primary VLAN where apromiscuous device is connected. This device will route traffic between the differentVLANs. Requires mapping between primary VLAN and all secondary VLANs.Host port – Hosts are connected to host ports, requires an association between thesecondary VLAN in use on the port and the primary VLAN.This picture shows the traffic flow.When communicating in the same community VLAN the traffic forwarding is direct(layer 2) but it traffic is sent between different secondary VLANs the traffic must passthrough the router which allows us to do packet filtering at layer 3 and it also meansthat ARP cannot be sent directly between hosts even though they are in the same IPsubnet. The arrows from the PC in the blue VLAN to the PC in the black VLAN showsthe traffic flow with numbering. First the PC in the blue VLAN sends a packet, thishttp://blog.router-switch.com/
  3. 3. packet is always source with the VID from the secondary VLAN. The router receivesthe traffic and if no filtering is done it sends the packet out sourcing with the primaryVLAN. The PC in the black VLAN receives the packet from the primary VLAN andsends it response with its secondary VLAN. Finally the router sends the packet backto the blue VLAN with the VID of the primary VLAN.Let’s have a look at what needs to be configured, let’s start with the VLANconfiguration. The scenario is that there are two switches connected by a trunk androuters are connected to the switchports (INE topology).vlan 100 name PRIMARY private-vlan primary private-vlan association 1000,2000,3000!vlan 1000 name COMMUNITY_1 private-vlan community!vlan 2000 name COMMUNITY_2 private-vlan community!vlan 3000 name ISOLATED private-vlan isolatedWe create the VLANs and configure them to be primary, community or isolated. Theprimary VLAN needs to know the secondary VLANs it should be be associated to.Next is the interface configuration.interface FastEthernet0/1 switchport private-vlan mapping 100 1000,2000,3000 switchport mode private-vlan promiscuous!interface FastEthernet0/3 switchport private-vlan host-association 100 1000 switchport mode private-vlan host!interface FastEthernet0/5 switchport private-vlan host-association 100 2000 switchport mode private-vlan hostOne port is configured as promiscous and the others as hosts. The host ports withsecondary VLANs need to know what primary VLAN is used and the promiscous portneeds to know what the secondary VLANs are.http://blog.router-switch.com/
  4. 4. Show vlan private-vlan will show what has been configured.SW1#show vlan private-vlanPrimary Secondary Type Ports——- ——— —————– ——————————————100 1000 community Fa0/1, Fa0/3100 2000 community Fa0/1, Fa0/5100 3000 isolated Fa0/1We also need configuration for SW2.vlan 100 name PRIMARY private-vlan primary private-vlan association 1000,2000,3000!vlan 1000 name COMMUNITY_1 private-vlan community!vlan 2000 name COMMUNITY_2 private-vlan community!vlan 3000 name ISOLATED private-vlan isolated!interface FastEthernet0/2 switchport private-vlan host-association 100 1000 switchport mode private-vlan host!interface FastEthernet0/4 switchport private-vlan host-association 100 2000 switchport mode private-vlan host!interface FastEthernet0/6 switchport private-vlan host-association 100 3000 switchport mode private-vlan hostShow interface switchport will show how the port is configured.SW1#show interfaces f0/1 switchportName: Fa0/1Switchport: EnabledAdministrative Mode: private-vlan promiscuoushttp://blog.router-switch.com/
  5. 5. Operational Mode: private-vlan promiscuousAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: OffAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: 100 (PRIMARY) 1000 (COMMUNITY_1) 2000(COMMUNITY_2) 3000 (ISOLATED)Administrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk associations: noneAdministrative private-vlan trunk mappings: noneOperational private-vlan: 100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)Trunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALLProtected: falseUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: noneLet’s try the configuration, we will start at R1 which is on the promiscous port andsee if it can ping R2-R6.R1#ping 255.255.255.255 re 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:Reply to request 0 from 100.0.0.5, 4 msReply to request 0 from 100.0.0.2, 4 msReply to request 0 from 100.0.0.3, 4 msReply to request 0 from 100.0.0.4, 4 msReply to request 0 from 100.0.0.6, 4 msAs expected we can ping all the devices. R2 should only be able to ping R3 and R1.R2#ping 255.255.255.255 re 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:Reply to request 0 from 100.0.0.3, 4 mshttp://blog.router-switch.com/
  6. 6. Reply to request 0 from 100.0.0.1, 4 msWorking as expected. R6 should only be able to ping R1 since it is in an isolatedVLAN.R6#ping 255.255.255.255 re 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:Reply to request 0 from 100.0.0.1, 4 msThe configuration is working. What if we want to create a SVI in one of the switches?This is the configuration.SW1(config)#intvlan 100SW1(config-if)#ip add 100.0.0.7 255.255.255.0SW1(config-if)#no shLet’s try to ping.SW1#ping 100.0.0.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 msSW1#ping 100.0.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:…..Success rate is 0 percent (0/5)Why can’t we ping R2? We have no mapping to the secondary VLAN!SW1(config)#intvlan 100SW1(config-if)#private-vlan mapping 1000SW1(config-if)#^ZSW1#*Mar 1 01:08:47.983: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100,Secondary 1000SW1#*Mar 1 01:08:49.267: %SYS-5-CONFIG_I: Configured from console by consoleSW1#ping 100.0.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:…..Success rate is 0 percent (0/5)SW1#sh run intvlan 100Building configuration…Current configuration : 88 byteshttp://blog.router-switch.com/
  7. 7. !interface Vlan100 ip address 100.0.0.7 255.255.255.0 private-vlan mapping 1000endStill no success, why?SW1#conf tEnter configuration commands, one per line. End with CNTL/Z.SW1(config)#ip routingSW1(config)#^ZSW1#*Mar 1 01:14:26.858: %SYS-5-CONFIG_I: Configured from console by consoleSW1#ping 100.0.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 msIP routing was needed! If you need to find Doc.Here is the way, to visit Cisco.com:Support -> Configure -> Products -> Switches ->LAN Switches -> Access->Cisco Catalyst 3560 Series Switches -> Configuration Guides -> Catalyst3560 Software Configuration Guide, Release 12.2(52)SE -> ConfiguringPrivate VLANsMore Private VLANs Details and Tips:How Private VLANs Work?How to Configure Private VLANs on Cisco 3560 Switches?http://blog.router-switch.com/

×