; PRIVATE VLANS & VLAN CONFIGURATION EXAMPLES
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

PRIVATE VLANS & VLAN CONFIGURATION EXAMPLES

VIEWS: 18 PAGES: 7

  • pg 1
									 PRIVATE VLANS & VLAN CONFIGURATION EXAMPLES
Private VLANs is a method to segment devices at layer 2 that are in the same IP
network. Different VLANs are used but they share a common IP network.

The most common scenario for a private VLAN is a residential network where
customers connect to a switch provisioned by the ISP and the ISP wants to provision
only one subnet but the customers should not be able to reach each other at layer 2.

The reason to disallow layer two intercommunication is for security, to prevent
someone from interfering or eavesdropping on another customer’s traffic. Another
scenario could be a hosting environment where servers are connected to a switch
and a common VLAN is used instead of provisioning one VLAN for every new
customer.

Take a look at this picture.




PC’s in the grey VLAN can only communicate with each other and the router. The
same goes for the PC’s in the green VLAN. PC’s in the blue VLAN can ONLY
communicate with the router not with each other. The picture shows only one PC but
if there was another PC it would not be able to communicate with the other PC in the
same VLAN.

Let’s look at some of the building blocks of private VLANs.
http://blog.router-switch.com/
Types of VLAN:
Primary VLAN – The VLAN that is used for receiving traffic from the device connected
to the promiscous port.
Community VLAN – Everybody that is located in a community VLAN may
communicate with others in the same
community VLAN and with the primary VLAN but not with other VLANs.
Isolated VLAN – Can only reach the device on the promiscuous port, cannot reach
any other devices.

Types of ports:
Promiscuous port – A port that is connected to the primary VLAN where a
promiscuous device is connected. This device will route traffic between the different
VLANs. Requires mapping between primary VLAN and all secondary VLANs.
Host port – Hosts are connected to host ports, requires an association between the
secondary VLAN in use on the port and the primary VLAN.

This picture shows the traffic flow.




When communicating in the same community VLAN the traffic forwarding is direct
(layer 2) but it traffic is sent between different secondary VLANs the traffic must pass
through the router which allows us to do packet filtering at layer 3 and it also means
that ARP cannot be sent directly between hosts even though they are in the same IP
subnet. The arrows from the PC in the blue VLAN to the PC in the black VLAN shows
http://blog.router-switch.com/
the traffic flow with numbering. First the PC in the blue VLAN sends a packet, this
packet is always source with the VID from the secondary VLAN. The router receives
the traffic and if no filtering is done it sends the packet out sourcing with the primary
VLAN. The PC in the black VLAN receives the packet from the primary VLAN and
sends it response with its secondary VLAN. Finally the router sends the packet back
to the blue VLAN with the VID of the primary VLAN.

Let’s have a look at what needs to be configured, let’s start with the VLAN
configuration. The scenario is that there are two switches connected by a trunk and
routers are connected to the switchports (INE topology).
vlan 100
 name PRIMARY
  private-vlan primary
  private-vlan association 1000,2000,3000
!
vlan 1000
 name COMMUNITY_1
  private-vlan community
!
vlan 2000
 name COMMUNITY_2
  private-vlan community
!
vlan 3000
 name ISOLATED
  private-vlan isolated

We create the VLANs and configure them to be primary, community or isolated. The
primary VLAN needs to know the secondary VLANs it should be be associated to.
Next is the interface configuration.
interface FastEthernet0/1
 switchport private-vlan mapping 100 1000,2000,3000
 switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
 switchport private-vlan host-association 100 1000
 switchport mode private-vlan host
!
interface FastEthernet0/5
 switchport private-vlan host-association 100 2000
 switchport mode private-vlan host

One port is configured as promiscous and the others as hosts. The host ports with
secondary VLANs need to know what primary VLAN is used and the promiscous port
http://blog.router-switch.com/
needs to know what the secondary VLANs are.

Show vlan private-vlan will show what has been configured.
SW1#show vlan private-vlan
Primary Secondary Type           Ports
——- ——— —————– ——————————————
100 1000        community         Fa0/1, Fa0/3
100 2000        community         Fa0/1, Fa0/5
100 3000        isolated       Fa0/1

We also need configuration for SW2.
vlan 100
 name PRIMARY
  private-vlan primary
  private-vlan association 1000,2000,3000
!
vlan 1000
 name COMMUNITY_1
  private-vlan community
!
vlan 2000
 name COMMUNITY_2
  private-vlan community
!
vlan 3000
 name ISOLATED
  private-vlan isolated
!
interface FastEthernet0/2
 switchport private-vlan host-association 100 1000
 switchport mode private-vlan host
!
interface FastEthernet0/4
 switchport private-vlan host-association 100 2000
 switchport mode private-vlan host
!
interface FastEthernet0/6
 switchport private-vlan host-association 100 3000
 switchport mode private-vlan host

Show interface switchport will show how the port is configured.
SW1#show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
http://blog.router-switch.com/
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (PRIMARY) 1000 (COMMUNITY_1) 2000
(COMMUNITY_2) 3000 (ISOLATED)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
  100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Let’s try the configuration, we will start at R1 which is on the promiscous port and
see if it can ping R2-R6.
R1#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 100.0.0.5, 4 ms
Reply to request 0 from 100.0.0.2, 4 ms
Reply to request 0 from 100.0.0.3, 4 ms
Reply to request 0 from 100.0.0.4, 4 ms
Reply to request 0 from 100.0.0.6, 4 ms

As expected we can ping all the devices. R2 should only be able to ping R3 and R1.
R2#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
http://blog.router-switch.com/
Reply to request 0 from 100.0.0.3, 4 ms
Reply to request 0 from 100.0.0.1, 4 ms

Working as expected. R6 should only be able to ping R1 since it is in an isolated
VLAN.
R6#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 100.0.0.1, 4 ms

The configuration is working. What if we want to create a SVI in one of the switches?
This is the configuration.
SW1(config)#int vlan 100
SW1(config-if)#ip add 100.0.0.7 255.255.255.0
SW1(config-if)#no sh

Let’s try to ping.
SW1#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Why can’t we ping R2? We have no mapping to the secondary VLAN!
SW1(config)#int vlan 100
SW1(config-if)#private-vlan mapping 1000
SW1(config-if)#^Z
SW1#
*Mar 1 01:08:47.983: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100,
Secondary 1000
SW1#
*Mar 1 01:08:49.267: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
SW1#sh run int vlan 100
Building configuration…
http://blog.router-switch.com/
Current configuration : 88 bytes
!
interface Vlan100
 ip address 100.0.0.7 255.255.255.0
 private-vlan mapping 1000
end

Still no success, why?
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#^Z
SW1#
*Mar 1 01:14:26.858: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

IP routing was needed! If you need to find Doc. Here is the way, to visit Cisco.com:
Support -> Configure -> Products -> Switches -> LAN Switches -> Access ->
Cisco Catalyst 3560 Series Switches -> Configuration Guides -> Catalyst 3560
Software Configuration Guide, Release 12.2(52)SE -> Configuring Private
VLANs

More Private VLANs Details and Tips:
How Private VLANs Work?
How to Configure Private VLANs on Cisco 3560 Switches?




http://blog.router-switch.com/

								
To top
;