This Article Takes A Look At What Is Required To Configure Private VLANS (RFC 5517) On CISCO Equipment.
A Private VLAN Gives Us The Opportunity To Divide A VLAN Into Sub VLANS.In The Case Of PVLAN, A Normal VLAN Is Mapped On Secondary VLANS. This Helps Us To Restrict Devices Being Connected In The Same Normal VLAN (Subnet) To Communicate With Each Other. Catalyst 3560 And Higher Models Support PVLAN. PRIVATE VLANS Were Developed To Provide The Ability To Isolate End Hosts At Layer Two.
Virtual LAN Is Defined In The IEEE802.1Q Standard. IEEE 802.1Q Defines The Meaning Of A VLAN With Respect To The Specific Conceptual Model Underpinning Bridging At The MAC Layer And To The IEEE 802.1D Spanning Tree Protocol. This Protocol Allows For Individual VLANS To Communicate With One Another Using A Switch With Layer-3 Capabilities, Or Simply A Router. VIRTUAL LANS (VLANS) Can Be Viewed As A Group Of Devices On Different Physical LAN Segments Which Can Communicate With Each Other As If They Were All On The Same Physical LAN Segment. VLAN Refers To Virtual Local Area Network Is A Virtual LAN That Extends Its Functionalities Beyond A Single LAN. It Is A Technology Allowing A Company Or An Individual To Extend Their LAN Over The WAN Interface, Breaching The Physical Limitations Of Regular LANS.
A Private VLAN Is A Technique In Computer Networking Where A VLAN Contains Switch Ports That Are Restricted, Such That They Can Only Communicate With A Given "Uplink". The Restricted Ports Are Called "Private Ports". Each Private VLAN Typically Contains Many Private Ports, And A Single Uplink. The Uplink Will Typically Be A Port (Or Link Aggregation Group) Connected To A Router, Firewall, Server, Provider Network, Or Similar Central Resource.
The Switch Forwards All Frames Received On A Private Port Out The Uplink Port, Regardless Of VLAN ID Or Destination MAC Address. Frames Received On An Uplink Port Are Forwarded In The Normal Way (I.E., To The Port Hosting The Destination MAC Address, Or To All VLAN Ports For Unknown Destinations Or Broadcast Frames). "Peer-To-Peer" Traffic Is Blocked. Note That While Private VLANS Provide Isolation At The Data Link Layer, Communication At Higher Layers May Still Be Possible.
A Typical Application For A Private VLAN Is A Hotel Or Ethernet To The Home Network Where Each Room Or Apartment Has A Port For Internet Access. Similar Port Isolation Is Used In Ethernet-Based ADSL DSLAMs. Allowing Direct Data Link Layer Communication Between Customer Nodes Would Expose The Local Network To Various Security Attacks, Such As ARP Spoofing, As Well As Increasing The Potential For Damage Due To Misconfiguration.
Another Application Of Private VLANS Is To Simplify IP Address Assignment. Ports Can Be Isolated From Each Other At The Data Link Layer (For Security, Performance, Or Other Reasons), While Belonging To The Same IP Subnet. In Such A Case Direct Communication Between The IP Hosts On The Protected Ports Is Only Possible Through The Uplink Connection By Using MAC-Forced Forwarding Or A Similar Proxy ARP Based Solution.
• Private VLANS Allow For Additional Security Between Devices In A Common Subnet.
• Private Edge VLANS Can Be Configured To Prevent Connectivity Between Devices On Access Switches.
• Private VLANS Can Be Configured On The Catalyst 6000 And Catalyst 4000 Series Products.
• Within A Private VLAN, You Can Isolate Devices To Prevent Connectivity Between Devices Within The Isolated VLAN.
• Within A Private VLAN, Communities Can Be Created To Allow Connection Between Some Devices And To Prevent Them From Communicating With Others.
• Promiscuous Ports Are Mapped To Private VLANS To Allow For Connectivity To VLANS Outside Of This Network.
PVLANS Provide Additional Protection. A Primary PVLAN Defines The Broadcast Domain With Which The Secondary PVLANS Are Associated. The Secondary PVLANS May Either Be Isolated PVLANS Or Community PVLANS. Hosts On Isolated PVLANS Communicate Only With Promiscuous Ports, And Hosts On Community PVLANS Communicate Only Among Themselves And With Associated Promiscuous Ports. This Configuration Provides Fine-Grained Layer 2 Isolation Control For Each System.
In An Ethernet Switch, A VLAN Is A Broadcast Domain In Which Hosts Can Establish Direct Communication With One Another At Layer 2. If Untrusted Devices Are Introduced Into A VLAN, Security Issues May Arise Because Trusted And Untrusted Devices End Up Sharing The Same Broadcast Domain.
The Traditional Solution To This Kind Of Problem Is To Assign A Separate VLAN To Each User Concerned About Layer 2 Security Issues. However, The IEEE 802.1Q Standard Specifies That The VLAN ID Field In An Ethernet Frame Is 12 Bits Wide. That Allows For A Theoretical Maximum Of 4094 VLANS In An Ethernet Network (VLAN Numbers 0 And 4095 Are Reserved). If The Network Administrator Assigns One VLAN Per User, Then That Equates To A Maximum Of 4094 Users That Can Be Supported. The Private VLANS Technology Described In This Memo Addresses This Scalability Problem By Offering More Granular And More Flexible Layer 2 Segregation, As Explained In The Following Sections.
On The Other Hand, The Private VLANS Technology Differs From The Mechanism Described In [RFC4562] Because Instead Of Using A MAC-Address-Based 'Forced Forwarding' Scheme It Uses A VLAN-Based One.
A Regular VLAN Is A Single Broadcast Domain. The Private VLANS Technology Partitions A Larger VLAN Broadcast Domain Into Smaller Sub-Domains. So Far, Two Kinds Of Special Sub-Domains Specific To The Private VLANS Technology Have Been Defined: An 'Isolated' Sub-Domain And A 'Community' Sub-Domain. Each Sub-Domain Is Defined By Assigning A Proper Designation To A Group Of Switch Ports.
Using Private VLANS Provides Scalability And IP Address Management Benefits For Service Providers And Layer 2 Security For Customers. Private VLANS Partition A Regular VLAN Domain Into SUBDOMAINS.
A SUBDOMAIN Is Represented By A Pair Of VLANS: A Primary VLAN And A Secondary VLAN.
A PRIVATE VLAN Can Have Multiple VLAN Pairs, One Pair For Each SUBDOMAIN.
All VLAN Pairs In A Private VLAN Share The Same Primary VLAN.
The SECONDARY VLAN ID Differentiates One SUBDOMAIN From Another.
ISOLATED VLANS : Ports Within An Isolated VLAN Cannot Communicate With Each Other At The Layer 2 Levels.
COMMUNITY VLANS : Ports Within A Community VLAN Can Communicate With Each Other But Cannot Communicate With Ports In Other Communities At The Layer 2 Level.
PROMISCUOUS PORT : Can Serve Only One Primary VLAN, One Isolated VLAN, And Multiple Community VLANS. Layer 3 Gateways Are Typically Connected To The Switch Through A Promiscuous Port.
In A Switched Environment, You Can Assign An Individual Private VLAN And Associated IP Subnet To Each Individual Or Common Group Of End Stations. The End Stations Need To Communicate Only With A Default Gateway To Communicate Outside The Private VLAN.
Configure Interfaces Connected To Default Gateways And Selected End Stations (Such As, Backup Servers) As Promiscuous Ports To Allow All End Stations Access To A Default Gateway.
Reduce VLAN And IP Subnet Consumption; You Can Prevent Traffic Between End Stations Even Though They Are In The Same VLAN And IP Subnet.
With A Promiscuous Port, You Can Connect A Wide Range Of Devices As Access Points To A PVLAN.
For Example, You Can Connect A Promiscuous Port To The Server Port Of A Localdirector To Connect An Isolated VLAN Or A Number Of Community VLANS To The Server.
Local Director Can Load Balance The Servers Present In The Isolated Or Community VLANS, Or You Can Use A Promiscuous Port To Monitor Or Back Up All The PVLAN Servers From An Administration Workstation.
PRIVATE VLANS : Are Sets Of VLAN Pairs That Share A Common Primary Identifier And Provide A Mechanism For Achieving Layer-2 Separation Between Ports While Sharing A Single Layer-3 Router Port And IP Subnet.
SECONDARY VLAN : A Type Of VLAN Used To Implement Private VLANS. Secondary VLANS Are Associated With A Primary VLAN, And Are Used To Carry Traffic From Hosts To Other Allowed Hosts Or To Routers.
COMMUNITY PORT : IS A Host Port That Belongs To A Community Secondary VLAN. Community Ports Communicate With Other Ports In The Same Community VLAN And With Promiscuous Ports. These Interfaces Are Isolated At Layer 2 From All Other Interfaces In Other Communities And From Isolated Ports Within Their Private VLAN.
COMMUNITY VLAN : IS A Community VLAN Is A Secondary VLAN That Carries Upstream Traffic From The Community Ports To The Promiscuous Port Gateways And To Other Host Ports In The Same Community. You Can Configure Multiple Community VLANS In A Private VLAN.
ISOLATED PORT : IS A Host Port That Belongs To An Isolated Secondary VLAN. It Has Complete Layer 2 Separation From Other Ports Within The Same Private VLAN, Except For The Promiscuous Ports. Private VLANS Block All Traffic To Isolated Ports Except Traffic From Promiscuous Ports. Traffic Received From An Isolated Port Is Forwarded Only To Promiscuous Ports.
ISOLATED VLAN : IS A Private VLAN Has Only One Isolated VLAN. An Isolated VLAN Is A Secondary VLAN That Carries Unidirectional Traffic Upstream From The Hosts Toward The Promiscuous Ports And The Gateway.
PRIMARY VLAN : IS A Private VLAN Has Only One Primary VLAN. Every Port In A Private VLAN Is A Member Of The Primary VLAN. The Primary VLAN Carries Unidirectional Traffic Downstream From The Promiscuous Ports To The (Isolated And Community) Host Ports And To Other Promiscuous Ports.
PRIVATE VLAN TRUNK PORT : Can Carry Multiple Secondary (Isolated Only) And Non-Pvlans. Packets Are Received And Transmitted With Secondary Or Regular VLAN Tags On The PVLAN Trunk Ports.
Note: Only IEEE 802.1q Encapsulation Is Supported.
PROMISCUOUS PORT: IS A Promiscuous Port Belongs To The Primary VLAN And Can Communicate With All Interfaces, Including The Community And Isolated Host Ports And Private VLAN Trunk Ports That Belong To The Secondary VLANS Associated With The Primary VLAN.
PROMISCUOUS TRUNK PORT : IS A Promiscuous Trunk Port Can Carry Multiple Primary And Normal Vlans. Packets Are Received And Transmitted With Primary Or Regular VLAN Tags. Other Than That, The Port Behaves Just Like A Promiscuous Access Port.
Note : Only IEEE 802.1q Encapsulation Is Supported.
STANDARD TRUNK PORTS : As With Regular VLANS, Private VLANS Can Span Multiple Switches. A Trunk Port Carries The Primary VLAN And Secondary VLANS To A Neighboring Switch. The Trunk Port Treats The Private VLAN As Any Other VLAN. A Feature Of Private VLANS Across Multiple Switches Is That Traffic From An Isolated Port In Switch A Does Not Reach An Isolated Port On Switch B.
To Maintain The Security Of Your Private-VLAN Configuration And To Avoid Other Use Of The VLANS Configured As Private VLANS, Configure Private VLANS On All Intermediate Devices, Including Devices That Have No Private-VLAN Ports.
Note :
Trunk Ports Carry Traffic From Regular VLANS And Also From Primary, Isolated, And Community VLANS.
You Should Use Standard Trunk Ports If Both Switches Undergoing Trunking Support PVLANS.
VTP Does Not Support Private VLANS, You Must Manually Configure Private VLANS On All Switches In The Layer 2 Network. If You Do Not Configure The Primary And Secondary VLAN Association In Some Switches In The Network, The Layer 2 Databases In These Switches Are Not Merged. This Can Result In Unnecessary Flooding Of Private-VLAN Traffic On Those Switches.
PRIVATE VLAN TRUNKSA Private VLAN Isolated Trunk Is Used When You Want A Private VLAN Port To Carry Multiple Secondary VLANS.
In This Topology, Switch 1 Trunks Traffic For All Isolated VLANS Over A Private VLAN Trunk To Switch 2 That Does Not Understand Private VLANS. It Also Communicates With Different Routers Connected To Different Promiscuous Ports. Switch 2 Is Connected To Multiple Hosts That Belong To Different Secondary VLANS.
Isolated Trunk Ports Allow You To Combine Traffic For All Secondary Ports Over A Trunk.Promiscuous Trunk Ports Allow You To Combine The Multiple Promiscuous Ports Required In This Topology In A Single Trunk Port That Carries Multiple Primary VLANS.
• Private VLANS And Unicast, Broadcast, And Multicast Traffic,
• Private VLANS And SVIS,
In A Layer 3 Switch, A Switch Virtual Interface (SVI) Represents The Layer 3 Interface Of A VLAN. Layer 3 Devices Communicate With A Private VLAN Only Through The Primary VLAN And Not Through Secondary VLANS. Configure Layer 3 VLAN Interfaces (SVIS) Only For Primary VLANS. You Cannot Configure Layer 3 VLAN Interfaces For Secondary VLANS. Svis For Secondary VLANS Are Inactive While The VLAN Is Configured As A Secondary VLAN.
• If You Try To Configure A VLAN With An Active SVI As A Secondary VLAN, The Configuration Is Not Allowed Until You Disable The SVI.
• If You Try To Create An SVI On A VLAN That Is Configured As A Secondary VLAN And The Secondary VLAN Is Already Mapped At Layer 3, The SVI Is Not Created, And An Error Is Returned. If The SVI Is Not Mapped At Layer 3, The SVI Is Created, But It Is Automatically Shut Down.
When The Primary VLAN Is Associated With And Mapped To The Secondary VLAN, Any Configuration On The Primary VLAN Is Propagated To The Secondary VLAN Svis. For Example, If You Assign An IP Subnet To The Primary VLAN SVI, This Subnet Is The IP Subnet Address Of The Entire Private VLAN.
Step 1 Set VTP Mode To Transparent.
Step 2 Create The Secondary VLANS.
Step 3 Create The Primary VLAN.
Step 4 Associate The Secondary VLAN To The Primary VLAN.
Note : Only One Isolated VLAN Can Be Mapped To A Primary VLAN, But More Than One Community VLAN Can Be Mapped To A Primary VLAN.
Step 5 Configure An Interface As An Isolated Or Community Host Or Trunk Port.
Step 6 Associate The Isolated Port Or Community Port To The Primary-Secondary VLAN Pair.
Step 7 Configure An Interface As A Promiscuous Port.
Step 8 MAP The Promiscuous Port To The Primary-Secondary VLAN Pair.
Step 9 If You Plan To Use Inter-VLAN Routing, Configure The Primary SVI, And Map Secondary VLANS To The Primary.
Step 10 Verify Private-VLAN Configuration.
To Configure A PVLAN Correctly, Enable VTP In Transparent Mode. You Cannot Change The VTP Mode To Client Or Server For PVLANS.
Do Not Include VLAN 1 Or VLANS 1002 Through 1005 In PVLANS.
Use Only PVLAN Commands To Assign Ports To Primary, Isolated, Or Community Vlans.
Layer 2 Interfaces On Primary, Isolated, Or Community VLANS Are Inactive In PVLANS.
Layer 2 Trunk Interfaces Remain In The STP Forwarding State.
You Cannot Configure Layer 3 VLAN Interfaces For Secondary VLANS.
Layer 3 VLAN Interfaces For Isolated And Community (Secondary) VLANS Are Inactive While The VLAN Is Configured As An Isolated Or Community VLAN.
Do Not Configure Private VLAN Ports As Etherchannels. While A Port Is Part Of The Private VLAN Configuration, Its Associated Etherchannel Configuration Is Inactive.
Do Not Apply Dynamic Access Control Entries (Aces) To Primary VLANS. Cisco IOS Dynamic ACL Configuration Applied To A Primary VLAN Is Inactive While The VLAN Is Part Of The PVLAN Configuration.
To Prevent Spanning Tree Loops Due To Misconfigurations, Enable Portfast On The PVLAN Trunk Ports With The Spanning-Tree Portfast Trunk Command.
Any VLAN ACL Configured On A Secondary VLAN Is Effective In The Input Direction, And Any VLAN ACL Configured On The Primary VLAN Associated With The Secondary VLAN Is Effective In The Output Direction.
You Can Stop Layer 3 Switching On An Isolated Or Community VLAN By Deleting The Mapping Of That VLAN With Its Primary VLAN.
PVLAN Ports Can Be On Different Network Devices As Long As The Devices Are Trunk-Connected And The Primary And Secondary Vlans Remain Associated With The Trunk
Isolated Ports On Two Different Devices Cannot Communicate With Each Other, But Community VLAN Ports Can.
Private VLANS Support The Following Span Features:
– You Can Configure A Private VLAN Port As A SPAN Source Port.
– You Can Use VLAN-Based SPAN (VSPAN) On Primary, Isolated, And Community Vlans Or Use SPAN On Only One VLAN To Monitor Egress Or Ingress Traffic Separately.
A Primary VLAN Can Be Associated With Multiple Community Vlans, But Only One Isolated VLAN.
An Isolated Or Community VLAN Can Be Associated With Only One Primary VLAN.
If You Delete A VLAN Used In A Private VLAN Configuration, The Private VLAN Ports Associated With The VLAN Become Inactive.
VTP Does Not Support Private Vlans. You Must Configure Private Vlans On Each Device In Which You Plan To Use Private VLAN Ports.
To Maintain The Security Of Your PVLAN Configuration And Avoid Other Use Of VLANS Configured As PVLANS, Configure PVLANS On All Intermediate Devices, Even If The Devices Have No PVLAN Ports.
Prune The PVLANS From Trunks On Devices That Carry No Traffic In The PVLANS.
With Port ACLS Functionality Available, You Can Apply Cisco IOS ACLS To Secondary VLAN Ports And Cisco IOS ACLS To PVLANS (VACLs).
You Can Apply Different Quality Of Service (QOS) Configurations To Primary, Isolated, And Community VLANS.
On A PVLAN Trunk Port A Secondary VLAN ACL Is Applied On Ingress Traffic And A Primary VLAN ACL Is Applied On Egress Traffic.
On A Promiscuous Port The Primary VLAN ACL Is Applied On Ingress Traffic.
Community Vlans Cannot Be Propagated Or Carried Over Private VLAN Trunks.
ARP Entries Learned On Layer 3 PVLAN Interfaces Are Termed “Sticky” ARP Entries.
For Security Reasons, PVLAN Port Sticky ARP Entries Do Not Age Out. Connecting A Device With A Different MAC Address But With The Same IP Address Generates An Error Message And The ARP Entry Is Not Created.
Because PVLAN Port Sticky ARP Entries Do Not Age Out, You Must Manually Remove The Entries If You Change The MAC Address. To Overwrite A Sticky ARP Entry, First Delete The Entry With The No ARP Command, Then Overwrite The Entry With The Arp Command.
In A DHCP Environment, If You Shut Down Your PC, It Is Not Possible To Give Your IP Address To Someone Else. To Solve This Problem, The Catalyst 4500 Series Switch Supports The No IP STICKY-ARP Command. This Command Promotes IP Address Overwriting And Reuse In A DHCP Environment.
Normal VLANS Can Be Carried On A Promiscuous Trunk Port.
The Default Native VLAN For Promiscuous Trunk Port Is VLAN 1, The Management VLAN. All Untagged Packets Are Forwarded In The Native VLAN. Either The Primary Vlans Or A Regular VLAN Can Be Configured As Native VLAN.
Promiscuous Trunks Cannot Be Configured To Carry Secondary VLANS. If A Secondary VLAN Is Specified In The Allowed VLAN List, The Configuration Is Accepted But The Port Is Not Operational /Forwarding In The Secondary VLAN. This Includes Even Those VLANS That Are Of Secondary But Not Associated With Any Primary VLAN On Given Port.
On A Promiscuous Trunk Port, The Primary VLAN ACL And QOS Are Applied On Ingress Traffic Coming In Primary VLANS.
On A Promiscuous Trunk Port, No VLAN ACL Or QOS Is Applied To The EGRESS Traffic. This Is Because For Upstream Direction, Traffic In Private VLAN Logically Flows In The Secondary VLAN. Due To VLAN Translation In Hardware, Information About Received Secondary VLANS Has Been Lost. Hence, No Policies Are Applied. This Restriction Also Applies To Traffic Bridged From Other Ports In The Same Primary VLANS.
Do Not Configure Port Security On PVLAN Promiscuous Trunk Port And Vice Versa. If Port Security Is Enabled On A Promiscuous Trunk Port, That Port May Behave In An Unpredictable Manner Because This Functionality Is Not Supported.
Do Not Configure IEEE 802.1X On A PVLAN Promiscuous Trunk Port.
It Is Important To Note : That Private VLAN Feature Is It Is Not Compatible With The Virtual Trunking Protocol (VTP); Due To This The First Thing That Must Be Done Is To Configure The Switch Into VTP Transparent Mode.
Router>Enable - > Enter Privileged Mode.
Router#Configure Terminal - > Enter Global Configuration Mode.
Router(Config)#VTP Mode Transparent - > Configure VTP Transparent Mode.
The Next Step Is To Configure The VLANS As Specific Private VLAN Types.
Router(Config)#Vlan Vlan-Id - > Enter VLAN Configuration Mode For The Secondary VLAN.
Router(Config-Vlan)#Private-Vlan [Isolated | Community] - > Configure The VLAN As A Private Secondary VLAN.
Router(Config-Vlan)#Vlan Vlan-Id - > Enter VLAN Configuration Mode For The Primary VLAN.
Router(Config-Vlan)#Private-Vlan Primary - > Configure The VLAN As A Primary VLAN.
Once All Of The VLANS Have Been Configured, The Primary And Secondary VLANS Must Be Associated Together.
Router(Config-Vlan)#Private-Vlan Association [Add | Remove] Secondary-Vlan-List - > Associate The Primary VLAN With Secondary VLANS.
The Secondary-VLAN-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
The Second Phase Involves The Configuration Of The Physical Switch Ports, What Type Of Private VLAN They Are And How They Are Associated With The VLANS. This Article Will Show The Configuration Of The Switch Ports Assigned To The Secondary Private VLANS First.
The First Thing To Do Is To Configure The Switch port As A Host (This Includes Community And Isolated Switch Ports).
Router(Config-Vlan)#Interface Interface-Id - > Enter Interface Configuration Mode.
Router(Config-If)#Switchport Mode Private-Vlan Host - > Configure The Interface As A Host Interface.
The Next Thing To Do Is Associate The Switchport With The Primary And Secondary Vlans That Were Configured In The Previous Section.
Router(Config-If)#Switchport Private-Vlan Host-Association Primary-Vlan Secondary-Vlan - > Associate The Interface With A Primary And Secondary VLAN
The Configuration Of The Switch Ports In The Primary VLAN Now Has To Be Completed.
Router(Config-If)#Interface Interface-Id - > Enter Interface Configuration Mode.
Router(Config-If)#Switchport Mode Private-Vlan Promiscuous - > Configure The Interface As A Promiscuous Interface.
This Switch Port Then Has To Be Mapped To All Of The Associated Primary And Secondary VLANS.
Router(Config-If)#Switchport Private-Mode Mapping Primary-Vlan {Add | Remove} Secondary-Vlan-List - > Associate The Interface With A Primary VLAN And All Secondary VLANS.
The Secondary-Vlan-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
His Completes The Layer-2 Configuration Of Private VLANS; If Only Layer-2 Connectivity Is Required Then The Next Section Is Not Required.
As With A Normal VLAN, Private VLANS Will Only Allow Communications Within The Configured Vlans (According To The Private VLAN Rules), But To Speak To Devices Outside This VLAN Structure A Layer-3 Device Is Required. In Many Situations, This Layer-3 Functionality Is Also Provided By The Switch (Assuming This Is A Layer-3 Capable Switch). This Section Shows The Additional Configuration That Is Required To Have The Switch Provide Layer-3 Functionality To The Switch Ports Configured With The Private VLAN Feature.
This Additional Configuration Is Simple And Just Adds A Single Configuration Command To The Primary VLAN Interface.
Router(Config)#Interface Vlan Primary-Vlan-Id - > Enter VLAN (SVI) Interface Configuration Mode.
Router(Config-If)#Private-Vlan Mapping {Add | Remove} Secondary-Vlan-List - > Associate The Secondary VLANS With The SVI.
The Secondary-Vlan-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
Show Vlan Private-Vlan Command:
Switch(Config)# Show Vlan Private-Vlan
Show Interfaces Status - > Displays The Status Of Interfaces, Including The Vlans To Which They Belong.
Show Vlan Private-Vlan [Type] - > Displays The Private VLAN Information For The Switch
Show Interface Switchport - > Displays Private VLAN Configuration On Interfaces.
Show Interface Private-Vlan Mapping - > Displays Information About The Private VLAN Mapping For VLAN SVIs.
COMMUNITY VLAN 202
ISOLATED VLAN 201
PRIMARY VLAN 100
CONFIGURE VLAN 202 AS COMUNITY VLAN:
Switch1(Config)# Vlan 202
Switch1(Config-Vlan)# Private-Vlan Community
CONFIGURE VLAN 201 AS ISOLATED VLAN:
Switch1(Config-Vlan)# Vlan 201
Switch1(Config-Vlan)# Private-Vlan Isolated
CONFIGURE PRIMARY VLAN AND ASSOCIATE SECONDARY VLANS:
Switch1(Config-Vlan)# Vlan 100
Switch1(Config-Vlan)# Private-Vlan Primary
Switch1(Config-Vlan)# Private-Vlan Association 202,201
CONFIGURE INTERFACE FA 0/1 AS PROMISCUOUS PORT:
Switch1(Config)#Int Fa 0/1 And Mapp Secondary Vlan - > That Need To Communicate With Him
Switch1(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch1(Config-If)#Switchport Private-Vlan Mapping 100 201,202
CONFIGURE PORTS FOR DNS SERVERS AND ASSOCIATE TO PRIMARY VLAN:
Switch1(Config)#Int Range Fa 0/10-11
Switch1(Config-If)#Switchport Mode Private-Vlan Host
Switch1(Config-If)# Switchport Private-Vlan Host-Association 100 202
CONFIGURE WEB AND SMTP SERVER ON OTHER SWITCH, ASSUMED THAT YOU CREATED VLANS ALREADY ON SWITCH2:
Switch2(Config)#Int Range Fa 0/12-13
Switch2(Config-If)#Switchport Mode Private-Vlan Host
Switch2(Config-If)# Switchport Private-Vlan Host-Association 100 201
CONFIGURE DHCP PORT FOR VLAN 202:
Switch2(Config)#Int Fa 0/14
Switch2(Config-If)#Switchport Mode Private-Vlan Host
Switch2(Config-If)# Switchport Private-Vlan Host-Association 100 202
CONFIGURE ETHERCHANNEL BETWEEN TWO SWITCHES:
Switch(Config)#Int Range Fa 0/4-5
Switch(Config-If)#Channel-Group 2 Mode Active
Switch(Config-If)#Switchport Mode Trunk
Switch(Config-If)#Switchport Trunk Allowed Vlan 100,201,202
Show Interfaces Status - > Displays The Status Of Interfaces, Including The Vlans To Which They Belong.
Show Vlan Private-Vlan [Type] - > Displays The Private VLAN Information For The Switch
Show Interface Switchport - > Displays Private VLAN Configuration On Interfaces.
Show Interface Private-Vlan Mapping - > Displays Information About The Private VLAN Mapping For VLAN SVIs.
A Configuration With Multiple Servers On A Single VLAN Should Use PVLANS For Layer 2 Separation Among The Servers. Routers Should Be On Promiscuous Ports And Servers On An Isolated PVLAN. Only Servers That Need To Communicate Directly With Other Servers Should Be On A Community PVLAN. Implement VACLs On The Primary PVLAN To Filter Traffic Originated By And Routed To The Same Segment.
In Certain Instances Where Similar Systems Do Not Need To Interact Directly, Pvlans Provide Additional Attack Mitigation. In Voice Networks This May Be The Case With Certain Proxies Serving The Same User Set But Using Different Protocols Or Collocated Call Managers Serving Different User Sets. In This Latter Example, Collocation Allows The Use Of The Same Stateless Filter For The Call Managers, While The Private VLAN Keeps A Compromised Call Manager From Reaching The Others Directly At Layer 2.
The Following Example Creates A PVLAN With An NTP SERVER On A Promiscuous Port And Two Isolated Servers.
Switch# Vlan 200
Switch(Vlan)# Name SERVERS-PRIVATE
Switch(Vlan)# Private-Vlan Primary
Switch(Vlan)# Private-Vlan Association 201
Switch(Config-If)#Exit
Switch# Vlan 201
Switch(Vlan)# Name SERVERS-ISOLATED
Switch(Vlan)# Private-Vlan Isolated
Switch(Config)# Interface Gigabitethernet6/1
Switch(Config-If)# Description SERVER 1
Switch(Config-If)# Switchport Private-Vlan Host-Association 200 201
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
Switch(Config)# Interface Gigabitethernet6/2
Switch(Config-If)# Description SERVER 2
Switch(Config-If)# Switchport Private-Vlan Host-Association 200 201
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
Switch(Config)# Interface Gigabitethernet6/6
Switch(Config-If)# Description SERVER NTP Server
Switch(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch(Config-If)#Switchport Private-Vlan Mapping 200 201
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
Create One Community VLAN, In Which SRV1 And SRV2 Will Belong To. Create Also An Isolated VLAN, In Which SRV3 And SRV4 Will Belong To. Make Ge0/1 Promiscuous And Connect To Default Gateway (Router).
According To This Configuration, SRV1 And SRV2 Can Talk To Each Other And Also With Router (Default Gateway). On The Other Hand, Servers In Isolated VLAN (SRV3 And SRV4) Will Not Communicate Between Each Other And Also Will Not Be Able To Talk With F0/0 (Router-Default Gateway).
Before Starting PVLAN Configuration, Switching VTP Mode To Transparent Is Required. If VTP Works In Other Mode, PVLAN Will Not Work.
SWITCH TO TRANSPARENT MODE:
Switch(Config)# Vtp Mode Transparent - > Setting Device To VTP TRANSPARENT Mode.
CREATE ISOLATED VLAN:
Switch(Config)# Vlan 102
Switch(Config-Vlan)# Private-Vlan Isolated
CREATE COMMUNITY VLAN:
Switch(Config)# Vlan 101
Switch(Config-Vlan)#Private-Vlan Community
CREATE PRIMARY VLAN AND MAP WITH SECONDARY VLANS:
Switch(Config-Vlan)# Vlan 100
Switch(Config-Vlan)# Private-Vlan Primary
Switch(Config-Vlan)# Private-Vlan Association 101 102
OUR COMPLETE CONFIGURATION LOOKS LIKE THIS: VLAN 100
Private-Vlan Primary
Private-Vlan Association 101 102
VLAN 101
Private-Vlan Community
VLAN 102
Private-Vlan Isolated
CREATE PROMISCUOUS PORT AND MAP WITH THE OTHER VLANS:
Switch(Config)# Interface Ge0/1
Switch(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch(Config-If)# Switchport Private-Vlan Mapping 100 101 102
ASSOCIATION OF GE0/2 AND GE0/3 PORTS WITH PRIMARY AND SECONDARY VLANS. ACCORDING TO OUR SCENARIO GE0/2 AND GE0/3 SHOULD BE IN COMMUNITY VLAN.
Switch(Config)# Interface Range Ge0/2-Ge0/3
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# Switchport Private-Vlan Host-Association 100 101
ASSOCIATION GE0/4 AND GE0/5 PORTS WITH PRIMARY AND SECONDARY VLANS. ACCORDING TO OUR SCENARIO GE0/4 AND GE0/ SHOULD BE IN ISOLATED VLAN.
Switch(Config)# Interface Range Ge0/4-Ge0/5
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# Switchport Private-Vlan Host-Association 100 102
A Regular VLAN Is A Single Broadcast Domain. The Private VLANS Technology Partitions A Larger VLAN Broadcast Domain Into Smaller Sub-Domains. So Far, Two Kinds Of Special Sub-Domains Specific To The Private VLANS Technology Have Been Defined: An 'Isolated' Sub-Domain And A 'Community' Sub-Domain. Each Sub-Domain Is Defined By Assigning A Proper Designation To A Group Of Switch Ports.
Within A Private VLAN Domain, Three Separate Port Designations Exist. Each Port Designation Has Its Own Unique Set Of Rules, Which Regulate A Connected Endpoint's Ability To Communicate With Other Connected Endpoints Within The Same Private VLAN Domain. The Three Port Designations Are PROMISCUOUS, ISOLATED, AND COMMUNITY.
An Endpoint Connected To A Promiscuous Port Has The Ability To Communicate With Any Endpoint Within The Private VLAN. Multiple Promiscuous Ports May Be Defined Within A Single Private VLAN Domain. In Most Networks, Layer 3 Default Gateways Or Network Management Stations Are Commonly Connected To Promiscuous Ports.
Isolated Ports: Are Typically Used For Those Endpoints That Only Require Access To A Limited Number Of Outgoing Interfaces On A Private-VLAN-Enabled Device. An Endpoint Connected To An Isolated Port: Will Only Possess The Ability To Communicate With Those End Points Connected To Promiscuous Ports. Endpoints Connected To Adjacent Isolated Ports Cannot Communicate With One Another.
For Example, Within A Web-Hosting Environment, Isolated Ports Can Be Used To Connect Hosts That Require Access Only To Default Gateways.
A Community Port: Is A Port That Is Part Of A Private VLAN Community, Which Is A Grouping Of Ports Connected To Devices Belonging To The Same Entity (For Example, A Group Of Hosts Of The Same ISP Customer Or A Pool Of Servers In A Data Center). Within A Community, Endpoints Can Communicate With One Another And Can Also Communicate With Any Configured Promiscuous Port. Endpoints Belonging To One Community Cannot Instead Communicate With Endpoints Belonging To A Different Community Or With Endpoints Connected To Isolated Ports.
Three Different VLAN Types (PRIMARY, ISOLATED, AND COMMUNITY) With Well-Defined, Port-Related Characteristics, Which Are Described In Detail In Below.
Isolated Ports: An Isolated Port, Cannot Talk To Any Other Port In The Private VLAN Domain Except For Promiscuous Ports . If A Customer Device Needs To Have Access Only To A Gateway Router, Then It Should Be Attached To An Isolated Port.
Community Ports: A Community Port, E.G., C1 Or C2, Is Part Of A Group Of Ports. The Ports Within A Community Can Have Layer 2 Communications With One Another And Can Also Talk To Any Promiscuous Port. If An ISP Customer Has, Say, 2 Devices That He/She Wants To Be Isolated From Other Customers' Devices But To Be Able To Communicate Among Themselves, Then Community Ports Should Be Used.
Promiscuous Ports: As The Name Suggests, A Promiscuous Port (P1) Can Talk To All Other Types Of Ports. A Promiscuous Port Can Talk To Isolated Ports As Well As Community Ports And Vice Versa. Layer 3 Gateways, DHCP Servers, And Other 'Trusted' Devices That Need To Communicate With The Customer Endpoints Are Typically Connected Via Promiscuous Ports.
Please Note: That ISOLATED, COMMUNITY, AND PROMISCUOUS PORTS Can Either Be Access Ports Or Hybrid/Trunk Ports (According To The Terminology Presented In Annex D Of The IEEE 802.1Q Specification, Up To Its 2004 Revision).
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO PVLAN Configuration". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. Thank You And Best Of Luck.
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.
It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.
A Private VLAN Gives Us The Opportunity To Divide A VLAN Into Sub VLANS.In The Case Of PVLAN, A Normal VLAN Is Mapped On Secondary VLANS. This Helps Us To Restrict Devices Being Connected In The Same Normal VLAN (Subnet) To Communicate With Each Other. Catalyst 3560 And Higher Models Support PVLAN. PRIVATE VLANS Were Developed To Provide The Ability To Isolate End Hosts At Layer Two.
ALSO KNOW WHAT IS VIRTUAL LAN (VLAN)?
Virtual LAN Is Defined In The IEEE802.1Q Standard. IEEE 802.1Q Defines The Meaning Of A VLAN With Respect To The Specific Conceptual Model Underpinning Bridging At The MAC Layer And To The IEEE 802.1D Spanning Tree Protocol. This Protocol Allows For Individual VLANS To Communicate With One Another Using A Switch With Layer-3 Capabilities, Or Simply A Router. VIRTUAL LANS (VLANS) Can Be Viewed As A Group Of Devices On Different Physical LAN Segments Which Can Communicate With Each Other As If They Were All On The Same Physical LAN Segment. VLAN Refers To Virtual Local Area Network Is A Virtual LAN That Extends Its Functionalities Beyond A Single LAN. It Is A Technology Allowing A Company Or An Individual To Extend Their LAN Over The WAN Interface, Breaching The Physical Limitations Of Regular LANS.
BRIEF DETAILS OF PRIVATE VLANS
WHAT IS PRIVATE VLANS (PVLAN):
A Private VLAN Is A Technique In Computer Networking Where A VLAN Contains Switch Ports That Are Restricted, Such That They Can Only Communicate With A Given "Uplink". The Restricted Ports Are Called "Private Ports". Each Private VLAN Typically Contains Many Private Ports, And A Single Uplink. The Uplink Will Typically Be A Port (Or Link Aggregation Group) Connected To A Router, Firewall, Server, Provider Network, Or Similar Central Resource.
The Switch Forwards All Frames Received On A Private Port Out The Uplink Port, Regardless Of VLAN ID Or Destination MAC Address. Frames Received On An Uplink Port Are Forwarded In The Normal Way (I.E., To The Port Hosting The Destination MAC Address, Or To All VLAN Ports For Unknown Destinations Or Broadcast Frames). "Peer-To-Peer" Traffic Is Blocked. Note That While Private VLANS Provide Isolation At The Data Link Layer, Communication At Higher Layers May Still Be Possible.
A Typical Application For A Private VLAN Is A Hotel Or Ethernet To The Home Network Where Each Room Or Apartment Has A Port For Internet Access. Similar Port Isolation Is Used In Ethernet-Based ADSL DSLAMs. Allowing Direct Data Link Layer Communication Between Customer Nodes Would Expose The Local Network To Various Security Attacks, Such As ARP Spoofing, As Well As Increasing The Potential For Damage Due To Misconfiguration.
Another Application Of Private VLANS Is To Simplify IP Address Assignment. Ports Can Be Isolated From Each Other At The Data Link Layer (For Security, Performance, Or Other Reasons), While Belonging To The Same IP Subnet. In Such A Case Direct Communication Between The IP Hosts On The Protected Ports Is Only Possible Through The Uplink Connection By Using MAC-Forced Forwarding Or A Similar Proxy ARP Based Solution.
PRIVATE VLAN ARE :
• Private VLANS Allow For Additional Security Between Devices In A Common Subnet.
• Private Edge VLANS Can Be Configured To Prevent Connectivity Between Devices On Access Switches.
• Private VLANS Can Be Configured On The Catalyst 6000 And Catalyst 4000 Series Products.
• Within A Private VLAN, You Can Isolate Devices To Prevent Connectivity Between Devices Within The Isolated VLAN.
• Within A Private VLAN, Communities Can Be Created To Allow Connection Between Some Devices And To Prevent Them From Communicating With Others.
• Promiscuous Ports Are Mapped To Private VLANS To Allow For Connectivity To VLANS Outside Of This Network.
PVLANS Provide Additional Protection. A Primary PVLAN Defines The Broadcast Domain With Which The Secondary PVLANS Are Associated. The Secondary PVLANS May Either Be Isolated PVLANS Or Community PVLANS. Hosts On Isolated PVLANS Communicate Only With Promiscuous Ports, And Hosts On Community PVLANS Communicate Only Among Themselves And With Associated Promiscuous Ports. This Configuration Provides Fine-Grained Layer 2 Isolation Control For Each System.
WHY WE NEED PVLANS
WHY WE NEED PVLANS :
In An Ethernet Switch, A VLAN Is A Broadcast Domain In Which Hosts Can Establish Direct Communication With One Another At Layer 2. If Untrusted Devices Are Introduced Into A VLAN, Security Issues May Arise Because Trusted And Untrusted Devices End Up Sharing The Same Broadcast Domain.
The Traditional Solution To This Kind Of Problem Is To Assign A Separate VLAN To Each User Concerned About Layer 2 Security Issues. However, The IEEE 802.1Q Standard Specifies That The VLAN ID Field In An Ethernet Frame Is 12 Bits Wide. That Allows For A Theoretical Maximum Of 4094 VLANS In An Ethernet Network (VLAN Numbers 0 And 4095 Are Reserved). If The Network Administrator Assigns One VLAN Per User, Then That Equates To A Maximum Of 4094 Users That Can Be Supported. The Private VLANS Technology Described In This Memo Addresses This Scalability Problem By Offering More Granular And More Flexible Layer 2 Segregation, As Explained In The Following Sections.
On The Other Hand, The Private VLANS Technology Differs From The Mechanism Described In [RFC4562] Because Instead Of Using A MAC-Address-Based 'Forced Forwarding' Scheme It Uses A VLAN-Based One.
A Regular VLAN Is A Single Broadcast Domain. The Private VLANS Technology Partitions A Larger VLAN Broadcast Domain Into Smaller Sub-Domains. So Far, Two Kinds Of Special Sub-Domains Specific To The Private VLANS Technology Have Been Defined: An 'Isolated' Sub-Domain And A 'Community' Sub-Domain. Each Sub-Domain Is Defined By Assigning A Proper Designation To A Group Of Switch Ports.
HOW PRIVATE VLAN WORK
HOW PRIVATE VLAN WORK :
Using Private VLANS Provides Scalability And IP Address Management Benefits For Service Providers And Layer 2 Security For Customers. Private VLANS Partition A Regular VLAN Domain Into SUBDOMAINS.
A SUBDOMAIN Is Represented By A Pair Of VLANS: A Primary VLAN And A Secondary VLAN.
A PRIVATE VLAN Can Have Multiple VLAN Pairs, One Pair For Each SUBDOMAIN.
All VLAN Pairs In A Private VLAN Share The Same Primary VLAN.
The SECONDARY VLAN ID Differentiates One SUBDOMAIN From Another.
THERE ARE TWO TYPES OF SECONDARY VLANS :
ISOLATED VLANS : Ports Within An Isolated VLAN Cannot Communicate With Each Other At The Layer 2 Levels.
COMMUNITY VLANS : Ports Within A Community VLAN Can Communicate With Each Other But Cannot Communicate With Ports In Other Communities At The Layer 2 Level.
PROMISCUOUS PORT : Can Serve Only One Primary VLAN, One Isolated VLAN, And Multiple Community VLANS. Layer 3 Gateways Are Typically Connected To The Switch Through A Promiscuous Port.
In A Switched Environment, You Can Assign An Individual Private VLAN And Associated IP Subnet To Each Individual Or Common Group Of End Stations. The End Stations Need To Communicate Only With A Default Gateway To Communicate Outside The Private VLAN.
YOU CAN USE PRIVATE VLANS TO CONTROL ACCESS TO END STATIONS IN THESE WAYS :
Configure Selected Interfaces Connected To End Stations As Isolated Ports To Prevent Any Communication At Layer 2. For Example, If The End Stations Are Servers, This Configuration Prevents Layer 2 Communication Between The Servers.Configure Interfaces Connected To Default Gateways And Selected End Stations (Such As, Backup Servers) As Promiscuous Ports To Allow All End Stations Access To A Default Gateway.
Reduce VLAN And IP Subnet Consumption; You Can Prevent Traffic Between End Stations Even Though They Are In The Same VLAN And IP Subnet.
With A Promiscuous Port, You Can Connect A Wide Range Of Devices As Access Points To A PVLAN.
For Example, You Can Connect A Promiscuous Port To The Server Port Of A Localdirector To Connect An Isolated VLAN Or A Number Of Community VLANS To The Server.
Local Director Can Load Balance The Servers Present In The Isolated Or Community VLANS, Or You Can Use A Promiscuous Port To Monitor Or Back Up All The PVLAN Servers From An Administration Workstation.
OVERVIEW OF PVLANS
PRIVATE VLANS : Are Sets Of VLAN Pairs That Share A Common Primary Identifier And Provide A Mechanism For Achieving Layer-2 Separation Between Ports While Sharing A Single Layer-3 Router Port And IP Subnet.
SECONDARY VLAN : A Type Of VLAN Used To Implement Private VLANS. Secondary VLANS Are Associated With A Primary VLAN, And Are Used To Carry Traffic From Hosts To Other Allowed Hosts Or To Routers.
COMMUNITY PORT : IS A Host Port That Belongs To A Community Secondary VLAN. Community Ports Communicate With Other Ports In The Same Community VLAN And With Promiscuous Ports. These Interfaces Are Isolated At Layer 2 From All Other Interfaces In Other Communities And From Isolated Ports Within Their Private VLAN.
COMMUNITY VLAN : IS A Community VLAN Is A Secondary VLAN That Carries Upstream Traffic From The Community Ports To The Promiscuous Port Gateways And To Other Host Ports In The Same Community. You Can Configure Multiple Community VLANS In A Private VLAN.
ISOLATED PORT : IS A Host Port That Belongs To An Isolated Secondary VLAN. It Has Complete Layer 2 Separation From Other Ports Within The Same Private VLAN, Except For The Promiscuous Ports. Private VLANS Block All Traffic To Isolated Ports Except Traffic From Promiscuous Ports. Traffic Received From An Isolated Port Is Forwarded Only To Promiscuous Ports.
ISOLATED VLAN : IS A Private VLAN Has Only One Isolated VLAN. An Isolated VLAN Is A Secondary VLAN That Carries Unidirectional Traffic Upstream From The Hosts Toward The Promiscuous Ports And The Gateway.
PRIMARY VLAN : IS A Private VLAN Has Only One Primary VLAN. Every Port In A Private VLAN Is A Member Of The Primary VLAN. The Primary VLAN Carries Unidirectional Traffic Downstream From The Promiscuous Ports To The (Isolated And Community) Host Ports And To Other Promiscuous Ports.
PRIVATE VLAN TRUNK PORT : Can Carry Multiple Secondary (Isolated Only) And Non-Pvlans. Packets Are Received And Transmitted With Secondary Or Regular VLAN Tags On The PVLAN Trunk Ports.
Note: Only IEEE 802.1q Encapsulation Is Supported.
PROMISCUOUS PORT: IS A Promiscuous Port Belongs To The Primary VLAN And Can Communicate With All Interfaces, Including The Community And Isolated Host Ports And Private VLAN Trunk Ports That Belong To The Secondary VLANS Associated With The Primary VLAN.
PROMISCUOUS TRUNK PORT : IS A Promiscuous Trunk Port Can Carry Multiple Primary And Normal Vlans. Packets Are Received And Transmitted With Primary Or Regular VLAN Tags. Other Than That, The Port Behaves Just Like A Promiscuous Access Port.
Note : Only IEEE 802.1q Encapsulation Is Supported.
STANDARD TRUNK PORTS : As With Regular VLANS, Private VLANS Can Span Multiple Switches. A Trunk Port Carries The Primary VLAN And Secondary VLANS To A Neighboring Switch. The Trunk Port Treats The Private VLAN As Any Other VLAN. A Feature Of Private VLANS Across Multiple Switches Is That Traffic From An Isolated Port In Switch A Does Not Reach An Isolated Port On Switch B.
To Maintain The Security Of Your Private-VLAN Configuration And To Avoid Other Use Of The VLANS Configured As Private VLANS, Configure Private VLANS On All Intermediate Devices, Including Devices That Have No Private-VLAN Ports.
Note :
PRIVATE VLAN TRUNKSA Private VLAN Isolated Trunk Is Used When You Want A Private VLAN Port To Carry Multiple Secondary VLANS.
Isolated Trunk Ports Allow You To Combine Traffic For All Secondary Ports Over A Trunk.Promiscuous Trunk Ports Allow You To Combine The Multiple Promiscuous Ports Required In This Topology In A Single Trunk Port That Carries Multiple Primary VLANS.
PRIVATE VLANS HAVE SPECIFIC INTERACTION WITH SOME OTHER FEATURES, DESCRIBED IN THESE SECTIONS :
• PVLANS And VLAN ACL/QOS,• Private VLANS And Unicast, Broadcast, And Multicast Traffic,
• Private VLANS And SVIS,
PRIVATE VLANS AND SVIS:
In A Layer 3 Switch, A Switch Virtual Interface (SVI) Represents The Layer 3 Interface Of A VLAN. Layer 3 Devices Communicate With A Private VLAN Only Through The Primary VLAN And Not Through Secondary VLANS. Configure Layer 3 VLAN Interfaces (SVIS) Only For Primary VLANS. You Cannot Configure Layer 3 VLAN Interfaces For Secondary VLANS. Svis For Secondary VLANS Are Inactive While The VLAN Is Configured As A Secondary VLAN.
• If You Try To Configure A VLAN With An Active SVI As A Secondary VLAN, The Configuration Is Not Allowed Until You Disable The SVI.
• If You Try To Create An SVI On A VLAN That Is Configured As A Secondary VLAN And The Secondary VLAN Is Already Mapped At Layer 3, The SVI Is Not Created, And An Error Is Returned. If The SVI Is Not Mapped At Layer 3, The SVI Is Created, But It Is Automatically Shut Down.
When The Primary VLAN Is Associated With And Mapped To The Secondary VLAN, Any Configuration On The Primary VLAN Is Propagated To The Secondary VLAN Svis. For Example, If You Assign An IP Subnet To The Primary VLAN SVI, This Subnet Is The IP Subnet Address Of The Entire Private VLAN.
TASKS AND GUIDELINES FOR CONFIGURING PRIVATE VLANS
TO CONFIGURE A PVLAN, FOLLOW THESE STEPS :
Step 1 Set VTP Mode To Transparent.
Step 2 Create The Secondary VLANS.
Step 3 Create The Primary VLAN.
Step 4 Associate The Secondary VLAN To The Primary VLAN.
Note : Only One Isolated VLAN Can Be Mapped To A Primary VLAN, But More Than One Community VLAN Can Be Mapped To A Primary VLAN.
Step 5 Configure An Interface As An Isolated Or Community Host Or Trunk Port.
Step 6 Associate The Isolated Port Or Community Port To The Primary-Secondary VLAN Pair.
Step 7 Configure An Interface As A Promiscuous Port.
Step 8 MAP The Promiscuous Port To The Primary-Secondary VLAN Pair.
Step 9 If You Plan To Use Inter-VLAN Routing, Configure The Primary SVI, And Map Secondary VLANS To The Primary.
Step 10 Verify Private-VLAN Configuration.
PVLAN CONFIGURATION GUIDELINES :
Layer 2 Interfaces On Primary, Isolated, Or Community VLANS Are Inactive In PVLANS.
Layer 2 Trunk Interfaces Remain In The STP Forwarding State.
Layer 3 VLAN Interfaces For Isolated And Community (Secondary) VLANS Are Inactive While The VLAN Is Configured As An Isolated Or Community VLAN.
– You Can Configure A Private VLAN Port As A SPAN Source Port.
– You Can Use VLAN-Based SPAN (VSPAN) On Primary, Isolated, And Community Vlans Or Use SPAN On Only One VLAN To Monitor Egress Or Ingress Traffic Separately.
BOTH PVLAN SECONDARY AND PROMISCUOUS TRUNK PORTS SUPPORT ONLY IEEE 802.1Q ENCAPSULATION.
CONFIGURING A VLAN AS A PVLAN
CONFIGURING A VLAN AS A PVLAN :
It Is Important To Note : That Private VLAN Feature Is It Is Not Compatible With The Virtual Trunking Protocol (VTP); Due To This The First Thing That Must Be Done Is To Configure The Switch Into VTP Transparent Mode.
Router>Enable - > Enter Privileged Mode.
Router#Configure Terminal - > Enter Global Configuration Mode.
Router(Config)#VTP Mode Transparent - > Configure VTP Transparent Mode.
The Next Step Is To Configure The VLANS As Specific Private VLAN Types.
Router(Config)#Vlan Vlan-Id - > Enter VLAN Configuration Mode For The Secondary VLAN.
Router(Config-Vlan)#Private-Vlan [Isolated | Community] - > Configure The VLAN As A Private Secondary VLAN.
Router(Config-Vlan)#Vlan Vlan-Id - > Enter VLAN Configuration Mode For The Primary VLAN.
Router(Config-Vlan)#Private-Vlan Primary - > Configure The VLAN As A Primary VLAN.
Once All Of The VLANS Have Been Configured, The Primary And Secondary VLANS Must Be Associated Together.
Router(Config-Vlan)#Private-Vlan Association [Add | Remove] Secondary-Vlan-List - > Associate The Primary VLAN With Secondary VLANS.
The Secondary-VLAN-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
SECOND PHASE: SWITCHPORT CONFIGURATION :
The Second Phase Involves The Configuration Of The Physical Switch Ports, What Type Of Private VLAN They Are And How They Are Associated With The VLANS. This Article Will Show The Configuration Of The Switch Ports Assigned To The Secondary Private VLANS First.
The First Thing To Do Is To Configure The Switch port As A Host (This Includes Community And Isolated Switch Ports).
Router(Config-Vlan)#Interface Interface-Id - > Enter Interface Configuration Mode.
Router(Config-If)#Switchport Mode Private-Vlan Host - > Configure The Interface As A Host Interface.
The Next Thing To Do Is Associate The Switchport With The Primary And Secondary Vlans That Were Configured In The Previous Section.
Router(Config-If)#Switchport Private-Vlan Host-Association Primary-Vlan Secondary-Vlan - > Associate The Interface With A Primary And Secondary VLAN
The Configuration Of The Switch Ports In The Primary VLAN Now Has To Be Completed.
Router(Config-If)#Interface Interface-Id - > Enter Interface Configuration Mode.
Router(Config-If)#Switchport Mode Private-Vlan Promiscuous - > Configure The Interface As A Promiscuous Interface.
This Switch Port Then Has To Be Mapped To All Of The Associated Primary And Secondary VLANS.
Router(Config-If)#Switchport Private-Mode Mapping Primary-Vlan {Add | Remove} Secondary-Vlan-List - > Associate The Interface With A Primary VLAN And All Secondary VLANS.
The Secondary-Vlan-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
His Completes The Layer-2 Configuration Of Private VLANS; If Only Layer-2 Connectivity Is Required Then The Next Section Is Not Required.
THIRD PHASE: LAYER-3 CONNECTIVITY:
As With A Normal VLAN, Private VLANS Will Only Allow Communications Within The Configured Vlans (According To The Private VLAN Rules), But To Speak To Devices Outside This VLAN Structure A Layer-3 Device Is Required. In Many Situations, This Layer-3 Functionality Is Also Provided By The Switch (Assuming This Is A Layer-3 Capable Switch). This Section Shows The Additional Configuration That Is Required To Have The Switch Provide Layer-3 Functionality To The Switch Ports Configured With The Private VLAN Feature.
This Additional Configuration Is Simple And Just Adds A Single Configuration Command To The Primary VLAN Interface.
Router(Config)#Interface Vlan Primary-Vlan-Id - > Enter VLAN (SVI) Interface Configuration Mode.
Router(Config-If)#Private-Vlan Mapping {Add | Remove} Secondary-Vlan-List - > Associate The Secondary VLANS With The SVI.
The Secondary-Vlan-List Parameter Is Typically A Range (Using ‘-‘) Or A Comma Separated List. No Spaces Are Allowed.
VERIFYING PRIVATE VLAN :
Show Vlan Private-Vlan Command:
Switch(Config)# Show Vlan Private-Vlan
Show Interfaces Status - > Displays The Status Of Interfaces, Including The Vlans To Which They Belong.
Show Vlan Private-Vlan [Type] - > Displays The Private VLAN Information For The Switch
Show Interface Switchport - > Displays Private VLAN Configuration On Interfaces.
Show Interface Private-Vlan Mapping - > Displays Information About The Private VLAN Mapping For VLAN SVIs.
CONFIGURATION EXAMPLES FOR PVLAN
EXAMPLE – 1:
STEPS FOR CONFIGURATION SWITCHES IN PVLAN :
CONFIGURE VLAN 202 AS COMUNITY VLAN:
Switch1(Config)# Vlan 202
Switch1(Config-Vlan)# Private-Vlan Community
CONFIGURE VLAN 201 AS ISOLATED VLAN:
Switch1(Config-Vlan)# Vlan 201
Switch1(Config-Vlan)# Private-Vlan Isolated
CONFIGURE PRIMARY VLAN AND ASSOCIATE SECONDARY VLANS:
Switch1(Config-Vlan)# Vlan 100
Switch1(Config-Vlan)# Private-Vlan Primary
Switch1(Config-Vlan)# Private-Vlan Association 202,201
CONFIGURE INTERFACE FA 0/1 AS PROMISCUOUS PORT:
Switch1(Config)#Int Fa 0/1 And Mapp Secondary Vlan - > That Need To Communicate With Him
Switch1(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch1(Config-If)#Switchport Private-Vlan Mapping 100 201,202
CONFIGURE PORTS FOR DNS SERVERS AND ASSOCIATE TO PRIMARY VLAN:
Switch1(Config)#Int Range Fa 0/10-11
Switch1(Config-If)#Switchport Mode Private-Vlan Host
Switch1(Config-If)# Switchport Private-Vlan Host-Association 100 202
CONFIGURE WEB AND SMTP SERVER ON OTHER SWITCH, ASSUMED THAT YOU CREATED VLANS ALREADY ON SWITCH2:
Switch2(Config)#Int Range Fa 0/12-13
Switch2(Config-If)#Switchport Mode Private-Vlan Host
Switch2(Config-If)# Switchport Private-Vlan Host-Association 100 201
CONFIGURE DHCP PORT FOR VLAN 202:
Switch2(Config)#Int Fa 0/14
Switch2(Config-If)#Switchport Mode Private-Vlan Host
Switch2(Config-If)# Switchport Private-Vlan Host-Association 100 202
CONFIGURE ETHERCHANNEL BETWEEN TWO SWITCHES:
Switch(Config)#Int Range Fa 0/4-5
Switch(Config-If)#Channel-Group 2 Mode Active
Switch(Config-If)#Switchport Mode Trunk
Switch(Config-If)#Switchport Trunk Allowed Vlan 100,201,202
MONITORING PRIVATE VLANS:
Show Interfaces Status - > Displays The Status Of Interfaces, Including The Vlans To Which They Belong.
Show Vlan Private-Vlan [Type] - > Displays The Private VLAN Information For The Switch
Show Interface Switchport - > Displays Private VLAN Configuration On Interfaces.
Show Interface Private-Vlan Mapping - > Displays Information About The Private VLAN Mapping For VLAN SVIs.
EXAMPLE – 2:
A Configuration With Multiple Servers On A Single VLAN Should Use PVLANS For Layer 2 Separation Among The Servers. Routers Should Be On Promiscuous Ports And Servers On An Isolated PVLAN. Only Servers That Need To Communicate Directly With Other Servers Should Be On A Community PVLAN. Implement VACLs On The Primary PVLAN To Filter Traffic Originated By And Routed To The Same Segment.
In Certain Instances Where Similar Systems Do Not Need To Interact Directly, Pvlans Provide Additional Attack Mitigation. In Voice Networks This May Be The Case With Certain Proxies Serving The Same User Set But Using Different Protocols Or Collocated Call Managers Serving Different User Sets. In This Latter Example, Collocation Allows The Use Of The Same Stateless Filter For The Call Managers, While The Private VLAN Keeps A Compromised Call Manager From Reaching The Others Directly At Layer 2.
The Following Example Creates A PVLAN With An NTP SERVER On A Promiscuous Port And Two Isolated Servers.
Switch# Vlan 200
Switch(Vlan)# Name SERVERS-PRIVATE
Switch(Vlan)# Private-Vlan Primary
Switch(Vlan)# Private-Vlan Association 201
Switch(Config-If)#Exit
Switch# Vlan 201
Switch(Vlan)# Name SERVERS-ISOLATED
Switch(Vlan)# Private-Vlan Isolated
Switch(Config)# Interface Gigabitethernet6/1
Switch(Config-If)# Description SERVER 1
Switch(Config-If)# Switchport Private-Vlan Host-Association 200 201
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
Switch(Config)# Interface Gigabitethernet6/2
Switch(Config-If)# Description SERVER 2
Switch(Config-If)# Switchport Private-Vlan Host-Association 200 201
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
Switch(Config)# Interface Gigabitethernet6/6
Switch(Config-If)# Description SERVER NTP Server
Switch(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch(Config-If)#Switchport Private-Vlan Mapping 200 201
Switch(Config-If)# No Shutdown
Switch(Config-If)#Exit
EXAMPLE – 3:
SCENARIO:
Create One Community VLAN, In Which SRV1 And SRV2 Will Belong To. Create Also An Isolated VLAN, In Which SRV3 And SRV4 Will Belong To. Make Ge0/1 Promiscuous And Connect To Default Gateway (Router).
According To This Configuration, SRV1 And SRV2 Can Talk To Each Other And Also With Router (Default Gateway). On The Other Hand, Servers In Isolated VLAN (SRV3 And SRV4) Will Not Communicate Between Each Other And Also Will Not Be Able To Talk With F0/0 (Router-Default Gateway).
Before Starting PVLAN Configuration, Switching VTP Mode To Transparent Is Required. If VTP Works In Other Mode, PVLAN Will Not Work.
SWITCH TO TRANSPARENT MODE:
Switch(Config)# Vtp Mode Transparent - > Setting Device To VTP TRANSPARENT Mode.
CREATE ISOLATED VLAN:
Switch(Config)# Vlan 102
Switch(Config-Vlan)# Private-Vlan Isolated
CREATE COMMUNITY VLAN:
Switch(Config)# Vlan 101
Switch(Config-Vlan)#Private-Vlan Community
CREATE PRIMARY VLAN AND MAP WITH SECONDARY VLANS:
Switch(Config-Vlan)# Vlan 100
Switch(Config-Vlan)# Private-Vlan Primary
Switch(Config-Vlan)# Private-Vlan Association 101 102
OUR COMPLETE CONFIGURATION LOOKS LIKE THIS: VLAN 100
Private-Vlan Primary
Private-Vlan Association 101 102
VLAN 101
Private-Vlan Community
VLAN 102
Private-Vlan Isolated
CREATE PROMISCUOUS PORT AND MAP WITH THE OTHER VLANS:
Switch(Config)# Interface Ge0/1
Switch(Config-If)# Switchport Mode Private-Vlan Promiscuous
Switch(Config-If)# Switchport Private-Vlan Mapping 100 101 102
ASSOCIATION OF GE0/2 AND GE0/3 PORTS WITH PRIMARY AND SECONDARY VLANS. ACCORDING TO OUR SCENARIO GE0/2 AND GE0/3 SHOULD BE IN COMMUNITY VLAN.
Switch(Config)# Interface Range Ge0/2-Ge0/3
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# Switchport Private-Vlan Host-Association 100 101
ASSOCIATION GE0/4 AND GE0/5 PORTS WITH PRIMARY AND SECONDARY VLANS. ACCORDING TO OUR SCENARIO GE0/4 AND GE0/ SHOULD BE IN ISOLATED VLAN.
Switch(Config)# Interface Range Ge0/4-Ge0/5
Switch(Config-If)# Switchport Mode Private-Vlan Host
Switch(Config-If)# Switchport Private-Vlan Host-Association 100 102
PVLANS SUMMARY
PVLANS SUMMARY :
A Regular VLAN Is A Single Broadcast Domain. The Private VLANS Technology Partitions A Larger VLAN Broadcast Domain Into Smaller Sub-Domains. So Far, Two Kinds Of Special Sub-Domains Specific To The Private VLANS Technology Have Been Defined: An 'Isolated' Sub-Domain And A 'Community' Sub-Domain. Each Sub-Domain Is Defined By Assigning A Proper Designation To A Group Of Switch Ports.
Within A Private VLAN Domain, Three Separate Port Designations Exist. Each Port Designation Has Its Own Unique Set Of Rules, Which Regulate A Connected Endpoint's Ability To Communicate With Other Connected Endpoints Within The Same Private VLAN Domain. The Three Port Designations Are PROMISCUOUS, ISOLATED, AND COMMUNITY.
An Endpoint Connected To A Promiscuous Port Has The Ability To Communicate With Any Endpoint Within The Private VLAN. Multiple Promiscuous Ports May Be Defined Within A Single Private VLAN Domain. In Most Networks, Layer 3 Default Gateways Or Network Management Stations Are Commonly Connected To Promiscuous Ports.
Isolated Ports: Are Typically Used For Those Endpoints That Only Require Access To A Limited Number Of Outgoing Interfaces On A Private-VLAN-Enabled Device. An Endpoint Connected To An Isolated Port: Will Only Possess The Ability To Communicate With Those End Points Connected To Promiscuous Ports. Endpoints Connected To Adjacent Isolated Ports Cannot Communicate With One Another.
For Example, Within A Web-Hosting Environment, Isolated Ports Can Be Used To Connect Hosts That Require Access Only To Default Gateways.
A Community Port: Is A Port That Is Part Of A Private VLAN Community, Which Is A Grouping Of Ports Connected To Devices Belonging To The Same Entity (For Example, A Group Of Hosts Of The Same ISP Customer Or A Pool Of Servers In A Data Center). Within A Community, Endpoints Can Communicate With One Another And Can Also Communicate With Any Configured Promiscuous Port. Endpoints Belonging To One Community Cannot Instead Communicate With Endpoints Belonging To A Different Community Or With Endpoints Connected To Isolated Ports.
Three Different VLAN Types (PRIMARY, ISOLATED, AND COMMUNITY) With Well-Defined, Port-Related Characteristics, Which Are Described In Detail In Below.
Isolated Ports: An Isolated Port, Cannot Talk To Any Other Port In The Private VLAN Domain Except For Promiscuous Ports . If A Customer Device Needs To Have Access Only To A Gateway Router, Then It Should Be Attached To An Isolated Port.
Community Ports: A Community Port, E.G., C1 Or C2, Is Part Of A Group Of Ports. The Ports Within A Community Can Have Layer 2 Communications With One Another And Can Also Talk To Any Promiscuous Port. If An ISP Customer Has, Say, 2 Devices That He/She Wants To Be Isolated From Other Customers' Devices But To Be Able To Communicate Among Themselves, Then Community Ports Should Be Used.
Promiscuous Ports: As The Name Suggests, A Promiscuous Port (P1) Can Talk To All Other Types Of Ports. A Promiscuous Port Can Talk To Isolated Ports As Well As Community Ports And Vice Versa. Layer 3 Gateways, DHCP Servers, And Other 'Trusted' Devices That Need To Communicate With The Customer Endpoints Are Typically Connected Via Promiscuous Ports.
Please Note: That ISOLATED, COMMUNITY, AND PROMISCUOUS PORTS Can Either Be Access Ports Or Hybrid/Trunk Ports (According To The Terminology Presented In Annex D Of The IEEE 802.1Q Specification, Up To Its 2004 Revision).
CONCLUSION:
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO PVLAN Configuration". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. Thank You And Best Of Luck.
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
DISCLAIMER:
This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible.
It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk.
No comments:
Post a Comment