Uploaded byNetProtocol Xpert
Private VLANs
Private VLANs allow splitting a regular VLAN into multiple "subdomains" to provide isolation between hosts at layer 2. The domains are isolated broadcast domains that require layer 3 forwarding to communicate. Primary, isolated, and community ports are defined for the sub-VLANs. Primary VLANs deliver frames downstream, isolated VLANs carry frames upstream, and community VLANs allow communication within the same group and to promiscuous ports. The configuration binds VLANs into a private VLAN domain, maps host ports to secondary VLANs, and maps a promiscuous port to all secondary VLANs to allow inter-subnet communication.
In this document
Powered by AI
Introduction to Private VLANs (PVLANs), which create isolated subdomains within a VLAN, requiring routers for intercommunication.
Explains VLAN terms and configurations including primary and secondary VLANs, port types: Promiscuous, Isolated, and Community.
Describes functioning of Private VLANs, including how traffic flows between Primary, Isolated, and Community VLANs.
Steps for configuring PVLANs, including disabling VTP, creating VLANs, and associating ports with the correct types.
Verification steps for PVLANs on SW1/SW2 using show commands to check VLAN status and configuration.
Instructions for creating promiscuous ports and configuring SVI for communication with Private VLAN members.
Verification of configurations through ICMP Echos (pings) from various routers to ensure functionality.
Explains the concept of protected ports in VLANs for enhanced security by isolating communication within the same VLAN.
More Related Content
More from NetProtocol Xpert
![ANPARA THERMAL POWER STATION[1] sangam.pdf](https://cdn.slidesharecdn.com/ss_thumbnails/anparathermalpowerstation1sangam-251121115219-9261cde4-thumbnail.jpg?width=640&height=640&fit=bounds)
Private VLANs
- 1.
- 2. • To beginwith, recall thatVLAN is essentially a broadcast domain. • Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. • The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router. • In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). • In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co- location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
- 3.
- 4. • For oursample configuration, we take VLAN 1000 and divide it into three PVLANs – sub- VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue. We name VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based on their types: • Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on theVLAN. • Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port.You commonly see these ports connecting to hosts. • Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports.
- 5. • In orderto implement sub-VLAN behaviour, we need to define how packets are forwarded between different types of ports. We group the VLANs in “Primary” and “Secondary”. • Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”). • Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port. • Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primaryVLAN.
- 6. How Private VLANs Work Hereare the key aspects of Private VLAN functioning: • The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts. • The Isolated VLAN transports frames from the stub hosts upstream to the router • The Community VLANs allow bi-directional frame exchange within a single group, in addition to forwarding frames upstream towards “P”-ports. • Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondaryVLANs.
- 7. • Private VLANscould be trunked. The secondary VLAN numbers are used to tag frames, just as with regularVLANs, and the primaryVLAN traffic is trunked as well. • However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating switch, as it’s not possible to use VTPv2 to disseminate that information. • This due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others.
- 8. Configuring Private VLANs We haveprimary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4). Step 1: • First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain: • SW1: • vtp mode transparent • ! • ! Creating primaryVLAN, which is shared among secondary’s • ! • vlan 1000 • private-vlan primary
- 9. • ! • !CommunityVLAN for R1 and R2: allows a “subVLAN” within a PrimaryVLAN • ! • vlan 1012 • private-vlan community • ! • ! CommunityVLAN for R3 and R4 • ! • vlan 1034 • private-vlan community • ! IsolatedVLAN: Connects all stub hosts to router. • ! Remember - only one isolated vlan per primary VLAN. • ! In our case, isolates R5 only. • ! • vlan 1055 • private-vlan isolated • ! • ! Associating the primary with secondary’s • ! • vlan 1000 • private-vlan association 1012,1034,1055 This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications). Repeat the same operations on SW2, sinceVTP has been disabled.
- 10. • ! Communityport (links R3 to R4 and “P”-ports) • ! • interface FastEthernet0/3 • description == R3 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Isolated port (uses isolatedVLAN to talk to “P”-ports) • ! • interface FastEthernet0/5 • description == R5 • switchport private-vlan host-association 1000 1055 • switchport mode private-vlan host • spanning-tree portfast • Step 2: • Configure host ports and bind them to the respective isolated PVLANs. Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary. Also, enable trunking between switches, to allow private VLANs traffic to pass between switches. • SW1: • ! • ! Community port (links R1 to R2 and “P”-ports) • ! • interface FastEthernet0/1 • description == R1 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Community port (links R3 to R4 and “P”-ports)
- 11. • !Trunk port •! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trunk • SW2: • interface FastEthernet0/2 • description == R2 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • interface FastEthernet0/4 • description == R4 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • !Trunk port • ! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trun
- 12. Next,Verify the configurationon SW1: • SW1#show vlan id 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/1
- 13. • SW1#show vlanid 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/3
- 14. • SW1#show vlanid 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/5
- 15. • SW1#show interfacesfastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
- 16. Verify on SW2: •W2#show vlan id 1000 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1000VLAN1000 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1000 enet 101000 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6 • 1000 1034 community Fa0/4, Fa0/6 • 1000 1055 isolated Fa0/6
- 17. • SW2#show vlanid 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6
- 18. • SW2#show vlanid 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/4, Fa0/6
- 19. • SW2#show vlanid 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/6
- 20. • SW2#show interfacefastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
- 21. Step 3: Create apromiscuous port and configure downstream mappings. Here we add secondary VLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to send traffic downstream to all “C” and “I” ports per their associations. • SW2: • ! • ! Promiscuous port, mapped to all secondaryVLANs • ! • interface FastEthernet0/6 • description == R6 • switchport private-vlan mapping 1000 1012,1034,1055 • switchport mode private-vlan promiscuous • spanning-tree portfast
- 22. • Administrative private-vlanmapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) • Administrative private-vlan trunk nativeVLAN: none • Administrative private-vlan trunk NativeVLAN tagging: enabled • Administrative private-vlan trunk encapsulation: dot1q • Administrative private-vlan trunk normalVLANs: none • Administrative private-vlan trunk privateVLANs: none • Operational private-vlan: • 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) Verify the promiscuous port configuration: • SW2#show int fa 0/6 switch | beg private • Administrative Mode: private-vlan promiscuous • Operational Mode: private-vlan promiscuous • AdministrativeTrunking Encapsulation: negotiate • OperationalTrunking Encapsulation: native • Negotiation ofTrunking: Off • Access ModeVLAN: 1 (default) • Trunking Native ModeVLAN: 1 (default) • Administrative NativeVLAN tagging: enabled • VoiceVLAN: none • Administrative private-vlan host-association: none
- 23. If you needto configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only. Obviously that’s because all secondary VLANs are “subordinates” of primary. After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible. You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs. • SW1: • ! • ! SW1 SVI is mapped to all secondaryVLANs • ! • interfaceVlan 1000 • ip address 10.0.0.7 255.255.255.0 • private-vlan mapping 1012,1034,1055 • SW2: • ! • ! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5 • ! • interfaceVlan1000 • ip address 10.0.0.8 255.255.255.0 • private-vlan mapping 1012,1034
- 24. Now to verifythe configuration, configure R1- R6 interfaces in subnet “10.0.0.0/24” and ping broadcast addresses. • R1#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms • R3#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
- 25. • R5#ping 10.0.0.255repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 1 ms • Reply to request 0 from 10.0.0.6, 1 ms • R6#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.1, 4 ms • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.5, 4 ms • Reply to request 0 from 10.0.0.3, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
- 26. Lastly, there isanother feature, called protected port or “Private VLAN edge”. The feature is pretty basic and is available even on low- end Cisco switches. It allows isolating ports in the same VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non- protected) ports within the same VLAN). Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security. Example: • interface range FastEthernet 0/1 - 2 • switchport mode access • switchport protected • switchport block unicast • switchport block multicast