Sunday, February 15, 2015

Private VLANs



Private VLANs were developed to provide the ability to isolate end hosts at layer two.


Types of PVLAN:

  •      Primary

  •      Secondary (sub-vlans)

Secondary VLAN Types:

  •     Isolated

  •     Community

Port Types:
  •     Promiscuous
  •     Isolated

  •     Community 


Note: Promiscuous port is port that is connected with router (gateway) so that sub-vlan can have connectivity to the Internet and it is associated with primary vlan and it will communicate with every other port.
Isolated port can’t communicate with anyone and it is going to be associated with isolated vlan. 
Community port can communicate only with other ports in same community vlan, which is associated with community sub-vlan. 

Configuration plan:

  • Create sub-vlans and put them in desired mode (Isolated, Community)
  • Create primary vlan and associate secondary (sub-vlans) vlans
  • Configure port toward gateway (promiscuous port)
  • Add port or port range in desired vlan
Before starting configuring private VLAN, ensure that VTP has been turned off, in other word set it to transparent mode.



! If you try to configure PVLAN without turning VTP off, this is message you get from 
! console, so to enable private VLANs it's explicitly required to turn off VTP.
SW_SEC_LAB(config)#vlan 100

SW_SEC_LAB(config-vlan)#private-vlan primary
%Private VLANs can only be configured when VTP is in transparent mode.


SW_SEC_LAB(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.



! If you didn’t create sub-vlan which you want to associate with primary vlan you will get this error:

SW_SEC_LAB(config-vlan)#private-vlan association 110
%Command rejected: invalid private vlan association between vlan100 and vlan110. VLAN 110 data is not available.

! Let’s start create the Community secondary vlans (sub-vlans).
SW_SEC_LAB(config)#vlan 120
SW_SEC_LAB(config-vlan)#private-vlan community 
SW_SEC_LAB(config-vlan)#vlan 130
SW_SEC_LAB(config-vlan)#private-vlan community


! Now create Isolated sub-vlan, we going to need only one Isolated vlan.
SW_SEC_LAB(config)#vlan 110
SW_SEC_LAB(config-vlan)#private-vlan isolated


! Create Primary VLAN, and under primary vlan configuration associate secondary vlans, to this Primary vlan.
! Including Isolated vlan and the Community vlans
SW_SEC_LAB(config)#vlan 100
SW_SEC_LAB(config-vlan)#private-vlan primary
SW_SEC_LAB(config-vlan)#private-vlan association 110,120,130


! Let’s go to interface configuration mode and configure which interface goes to which vlan.
! First configure promiscuous, I’m going to use Fa 1/0/2, and specified primary vlan followed by sub-vlans.
SW_SEC_LAB(config-if)#inter fastEthernet 1/0/2
SW_SEC_LAB(config-if)#switchport mode private-vlan promiscuous
SW_SEC_LAB(config-if)#switchport private-vlan mapping 100 110,120,130


! Next put some interfaces in Isolated sub-vlan, those ports won’t have any access to each  
! other or to any other interface from Community vlans, except promiscuous port Fa 1/0/2 
! where default gateway is.
SW_SEC_LAB(config-if-range)#switchport mode private-vlan host
SW_SEC_LAB(config-if-range)#switchport private-vlan host-association 100 110


! Add another port range or port in to Community vlan, we have Community vlans 120 and  
! 130.
SW_SEC_LAB(config)#interface range FastEthernet 1/0/25 - 36
SW_SEC_LAB(config-if-range)#switchport mode private-vlan host
SW_SEC_LAB(config-if-range)#switchport private-vlan host-association 100 120


! And for Community vlan 130…
SW_SEC_LAB(config)#interface range fastEthernet 1/0/37 - 38
SW_SEC_LAB(config-if-range)#switch mode private-vlan host
SW_SEC_LAB(config-if-range)#switchport private-vlan host-association 100 130
SW_SEC_LAB(config-if-range)#


! Verify configuration for private vlan using command…
SW_SEC_LAB#show vlan private-vlan


Primary  Secondary  Type                Ports

---------   -------------    ---------------     ---------------------------------------------------------       

100         110            isolated               Fa1/0/2, Fa1/0/14, Fa1/0/15, Fa1/0/16

                                                          Fa1/0/17, Fa1/0/18, Fa1/0/19, Fa1/0/20

                                                          Fa1/0/21, Fa1/0/22, Fa1/0/23

100         120            community          Fa1/0/2, Fa1/0/25, Fa1/0/26, Fa1/0/27

                                                          Fa1/0/28, Fa1/0/29, Fa1/0/30, Fa1/0/31

                                                          Fa1/0/32, Fa1/0/33, Fa1/0/34, Fa1/0/35

                                                          Fa1/0/36

100         130            community         Fa1/0/2, Fa1/0/37, Fa1/0/38
 



 

 

 


















 





Posted by at

1 comment:

Subscribe to: Post Comments (Atom)