{"id":684,"date":"2017-04-19T18:11:00","date_gmt":"2017-04-19T18:11:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=684"},"modified":"2024-11-17T18:29:17","modified_gmt":"2024-11-17T18:29:17","slug":"private-vlan-concept-implementation","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/private-vlan-concept-implementation\/","title":{"rendered":"Private VLAN Concept\/Implementation"},"content":{"rendered":"

Private VLANs are basically VLANs within a VLAN, they partition a regular VLAN domain into sub-domains. A sub-domain is represented by a\u00a0\u201cPrimary\u201d\u00a0<\/em>VLAN and a\u00a0\u201c<\/em>Secondary\u201d\u00a0<\/em>VLAN, this is called a \u201cVLAN pair\u201d.<\/p>\n

You can have multiple VLAN pairs for example one VLAN pair for each sub-domain. All VLAN pairs share the same primary VLAN. The secondary VLAN ID differentiates one sub-domain from another<\/p>\n

The Primary VLAN<\/strong><\/p>\n

A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the\u00a0primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the host ports (isolated and community) and to other promiscuous ports.<\/p>\n

Secondary VLAN types<\/strong><\/p>\n

Isolated VLAN<\/strong>\u00a0\u2013 A private VLAN has only one isolated VLAN. An\u00a0isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway. Ports within an isolated VLAN cannot communicate with each other at layer 2<\/p>\n

Community VLAN\u00a0<\/strong>\u2013 A\u00a0community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community, but cannot communicate with other communities at layer 2. You can configure multiple community VLANs.<\/p>\n

Private-VLAN port Types\u00a0<\/strong>(access ports)<\/p>\n

Promiscuous port<\/strong>\u00a0\u2013 A promiscuous port belongs to the primary VLAN and can communicate with all ports, including the community and isolated host ports that belong to the secondary VLANs<\/p>\n

Isolated port<\/strong>\u00a0\u2013 An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports.<\/p>\n

Community port<\/strong>\u00a0\u2013 A community port is a host port that belongs to a community secondary VLAN. Community ports can communicate with other ports in the same community VLAN and with promiscuous ports. These ports are isolated at Layer 2 from all other ports in other communities and from isolated ports.<\/p>\n

All members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns IP addresses from the block of addresses allocated to the primary VLAN<\/p>\n

As with regular VLANs,\u00a0private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighbouring switch. The trunk port treats the private VLAN as any other VLAN.<\/p>\n

For example \u2013 If we are trunking an Isolated VLAN across multiple switches the feature of private VLANs will not allow the traffic from \u201cSwitch-A\u201d to reach an isolated port on \u201cSwitch B\u201d. However if a community VLAN is stretched the traffic will traverse to switch B<\/p>\n

<\/p>\n

Because VTP versions 1 & 2 do not support private VLANs, you must turn off VTP and manually configure private VLANs on all switches. It is also recommended by Cisco to use the default Switch SDM template to balance system resources between unicast routes and Layer 2 entries.<\/p>\n

In a Layer 3 switch, an SVI represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a\u00a0private VLAN only through the primary VLAN and not through secondary VLANs. You would only configure Layer 3 VLAN interfaces only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.<\/p>\n

Configuration Example:<\/strong><\/p>\n

In this step by step guide we will configure Private VLANs to demonstrate how they behave, the topology below was setup using GNS3, and all the devices are IOU devices that are acting as the roles specified. In order to carry out this lab in GNS3, the L2 IOU image must be at least\u00a0\u201ci86bi-linux-l2-adventerprisek9-15.2d.bin\u201d\u00a0otherwise Private VLAN port types won\u2019t be recognised.<\/p>\n

Basic network connectivity has been setup using the\u00a0\u201c192.168.100.0\/24\u201d\u00a0Subnet<\/p>\n

<\/p>\n

Lets get started!<\/strong><\/p>\n

Step 1.<\/strong>\u00a0Check the current state of private VLANs to ensure nothing is present, we can see from the output below that private VLANs currently do not exist on this device.<\/p>\n

#show vlan private-vlan<\/p>\n

<\/p>\n

Step 2.\u00a0<\/strong>On the switch disable VTP and setup the\u00a0\u201cCommunity\u201d\u00a0and\u00a0\u201cIsolated\u201d\u00a0VLANs, these will all be\u00a0\u201cSecondary\u201d\u00a0VLANs<\/p>\n

#conf t<\/p>\n

#vtp mode transparent<\/p>\n

#vlan 400<\/p>\n

#private-vlan community<\/p>\n

#vlan 300<\/p>\n

#private-vlan community<\/p>\n

#Vlan 200<\/p>\n

#private-vlan isolated<\/p>\n

<\/p>\n

Step 3.<\/strong>\u00a0Configure the\u00a0\u201cPrimary\u201d\u00a0VLAN and associate all the\u00a0\u201cSecondary\u201d\u00a0VLANs to the\u00a0\u201cPrimary\u201d<\/p>\n

#conf t<\/p>\n

#vlan 100<\/p>\n

#private-vlan primary<\/p>\n

#private-vlan association 200,300,400<\/p>\n

<\/p>\n

Step 4.<\/strong>\u00a0looking at the configuration, we can see that the switch now knows which VLAN is the\u00a0\u201cPrimary\u201d\u00a0and which VLANs are\u00a0\u201cSecondary\u201d, the switch also knows whether the ports are going to act as a\u00a0\u201cCommunity\u201d\u00a0or an\u00a0\u201cIsolated\u201d\u00a0port.<\/p>\n

#show vlan private-vlan<\/p>\n

<\/p>\n

Step 5.<\/strong>\u00a0Create the\u00a0\u201cPromiscuous port\u201d\u00a0and assign it to interface\u00a0\u201ce3\/3\u201d, we also need to create the mappings of the\u00a0\u201cPrimary\u201d\u00a0and\u00a0\u201cSecondary\u201d\u00a0VLANs so that the promiscuous port can allow the traffic through.<\/p>\n

#conf t<\/p>\n

#int e3\/3<\/p>\n

#switchport mode private-vlan promiscuous<\/p>\n

#switchport private-vlan mapping 100 200,300,400<\/p>\n

#no shut<\/p>\n

<\/p>\n

Step 6.<\/strong>\u00a0Now we need to create the association for the \u201cSecondary\u201d\u00a0VLANs to the\u00a0\u201cPrimary\u201d\u00a0VLAN on each individual interfaces.<\/p>\n

\u201cint e0\/0\u201d\u00a0is going to be used for the\u00a0\u201cSecondary\u201d\u00a0VLAN 200 (this will be an Isolated port)<\/p>\n

#conf t<\/p>\n

#int e0\/0<\/p>\n

#switchport mode private-vlan host<\/p>\n

#switchport private-vlan host-association 100 200<\/p>\n

<\/p>\n

\u201cint e0\/1\u201d\u00a0and\u00a0\u201cinte0\/2\u201d\u00a0are going to be used for the\u00a0\u201cSecondary\u201d\u00a0VLAN 300 (these will both be a Community port for Community A)<\/p>\n

#int e0\/1<\/p>\n

#switchport mode private-vlan host<\/p>\n

#switchport private-vlan host-association 100 300<\/p>\n

#int e0\/2<\/p>\n

#switchport mode private-vlan host<\/p>\n

#switchport private-vlan host-association 100 300<\/p>\n

<\/p>\n

\u201cint e0\/3\u201d\u00a0is going to be used for the\u00a0\u201cSecondary\u201d\u00a0VLAN 300 (this will be Community port for Community B)<\/p>\n

#int e0\/3<\/p>\n

#switchport mode private-vlan host<\/p>\n

#switchport private-vlan host-association 100 400<\/p>\n

<\/p>\n

Step 7.<\/strong>\u00a0Verify the configuration, we should now see the ports assigned to the relevant\u00a0\u201cSecondary\u201d\u00a0VLANs and port types.<\/p>\n

#show vlan private-vlan<\/p>\n

<\/p>\n

If we test the connectivity using ping we can validate our configuration is working correctly, From\u00a0\u201cDNS1\u201d\u00a0ping everything in the topology and see how it behaves.\u00a0\u201cDNS1\u201d\u00a0is in the\u00a0\u201cIsolated\u201d\u00a0VLAN 200 so it should only be able to communicate with the\u00a0\u201cPromiscuous\u201d\u00a0port and nothing else.<\/p>\n

From the output below we can see the following \u2013<\/p>\n

We can reach .1 which is the GW out the\u00a0\u201cPromiscuous\u201d\u00a0port, we can also ping our self which is .2, but we cannot ping any devices in\u00a0\u201cCommunity A (VLAN 300)\u201d\u00a0or\u00a0\u201cCommunity B (VLAN 400)\u201d<\/p>\n

<\/p>\n

From\u00a0\u201cSERVER1\u201d\u00a0repeat the above and ping everything in the topology, from this device we should only be able to reach the\u00a0\u201cPromiscuous\u201d\u00a0port and\u00a0\u201cSERVER2\u201d\u00a0which is in the same\u00a0\u201cCommunity\u201d\u00a0as\u00a0\u201cSERVER1\u201d<\/p>\n

As we can see below, we can\u2019t reach\u00a0\u201cDNS1\u201dwhich is located on the\u00a0\u201cIsolated\u201d\u00a0VLAN200 or\u00a0\u201cSERVER3\u201d\u00a0on\u00a0\u201cCommunity B\u201d\u00a0inside the\u00a0\u201cSecondary\u201d\u00a0VLAN 400<\/p>\n

<\/p>\n

From\u00a0\u201cSERVER2\u201d\u00a0repeat the above and ping everything in the topology, from this device we should only be able to reach the\u00a0\u201cPromiscuous\u201d\u00a0port\u00a0\u201cSERVER1\u201d\u00a0which is in the same\u00a0\u201cCommunity\u201d\u00a0as\u00a0\u201cSERVER2\u201d<\/p>\n

As we can see below, we can\u2019t reach\u00a0\u201cDNS1\u201dwhich is located on the\u00a0\u201cIsolated\u201d\u00a0VLAN200 or\u00a0\u201cSERVER3\u201d\u00a0on\u00a0\u201cCommunity B\u201d\u00a0inside the\u00a0\u201cSecondary\u201d\u00a0VLAN 400<\/p>\n

<\/p>\n

From\u00a0\u201cSERVER3\u201d\u00a0repeat the above and ping everything in the topology, from this device we should only be able to reach the\u00a0\u201cPromiscuous\u201d\u00a0port<\/p>\n

As we can see below, we can\u2019t reach\u00a0\u201cDNS1\u201dwhich is located on the\u00a0\u201cIsolated\u201d\u00a0VLAN200 or\u00a0\u201cSERVER1\/2\u201d\u00a0on\u00a0\u201cCommunity A\u201d\u00a0inside the\u00a0\u201cSecondary\u201d\u00a0VLAN 300.<\/p>\n

<\/p>\n

From\u00a0\u201cPromiscuous\u201d\u00a0port (GW) repeat the above and ping everything in the topology, from this device we should be able to reach all the devices<\/p>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Private VLANs are basically VLANs within a VLAN, they partition a regular VLAN domain into sub-domains. A sub-domain is represented by a\u00a0\u201cPrimary\u201d\u00a0VLAN and a\u00a0\u201cSecondary\u201d\u00a0VLAN, this<\/p>\n","protected":false},"author":1,"featured_media":685,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,6,9],"tags":[79,78,77,80,81],"class_list":["post-684","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-network","category-security","category-switching","tag-isolation","tag-primary-vlan","tag-private-vlans","tag-pvlans","tag-vlan"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=684"}],"version-history":[{"count":2,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/684\/revisions"}],"predecessor-version":[{"id":747,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/684\/revisions\/747"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/685"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}