Cisco Private Vlans

What is a private Vlan??

Well the thing is composed as follows:

Primary VLAN: acts like the normal VLAN that we are used to.

secondary VLAN: defines basic rules for the ports that are associated with it. The mapping between the ‘primary VLAN’ and the ‘secondary VLAN’ is what a ‘PVLAN’ is.

Types of ports:

Promiscuous: forward primary and secondary VLAN traffic.

Isolated can only communicate with promiscuous ports that are mapped to the secondary VLAN.

Community can communicate with any other ports in the same secondary VLAN. Also they can communicate with promiscuous ports mapped to the secondary VLAN as well.

More information at Cisco

So having this configuration as the base line

R1 — R2 — R3 connected to Sw1

Lets assume that R1, R3 and R4 are just host in the network.

Show cdp neigh from Sw1 to give a clear picture of the topology, just in case in comes mess up

NLISw1#show cdp neigh
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
R4 Fas 0/4 152 R S I 2811 Fas 0/0
R3 Fas 0/3 145 R S I 2811 Fas 0/0
R1 Fas 0/1 74 R S I 2811 Fas 0/0
NLISw1#

So we have basic reachability here in this network, every host in the same vlan

R3(config)#exit
R3#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:

*Jun 2 10:01:46.031: %SYS-5-CONFIG_I: Configured from console by console.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#
R3#
R3#
R3#ping 10.10.255.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R3#

Now what happens if you are hosting those “R3 & R4″ to a customer in that particular Addresing (a public one” and you need to provide isolation between this 2 devices..
Remmember the addressing recomendation per vlan, well you will need then to use new addressing, so at the end Private Vlan can be also included into CIDR and NAT considerations, lol 😀
Something that I have been digging about the relationship between Protected Ports and Private Vlan is that Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs, which I consider is the difference with protected ports “NLISw1(config-if)#switchport protected”

the cook list from the link above:

1:
Set VTP mode to transparent
Switch(config)# vtp mode transparent

Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

NLISw1(config)#vlan 3000
NLISw1(config-vlan)#exit
% Failed to create VLANs 3000
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.

NLISw1(config)#
00:05:49: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 3000: extended VLAN(s) not allowed in current VTP mode

more about this at, so that is what I think is like the main reason is the way Vlan Default Configuration works and the Extended Systems ID in the Current VTP Mode.

Anyways the switch is decent enough to tell you that..NLISw1(config-vlan)#private-vlan isolated
%Private VLANs can only be configured when VTP is in transparent mode.

Basic command
NLISw1(config)#vlan 20
NLISw1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN

step 2:

Taking part of the the main configuration you can find in search engines.

!!!Create the secondary VLANs
!!!Switch(config)# vlan 10
!!!Swtich(config-vlan)# private-vlan community
!!!Swtich(config-vlan)# vlan 20
!!!Swtich(config-vlan)# private-vlan isolated

step 3:
!!!Create the primary VLAN associate the secondary VLANs
!!!Switch(config)# vlan 100
!!!Swtich(config-vlan)# private vlan primary
!!!Swtich(config-vlan)# private-vlan association 10,20

so the configuration in the switch

NLISw1(config-if)#vlan 100
NLISw1(config-vlan)#priva pri
NLISw1(config-vlan)#pri as 10,20
NLISw1(config-vlan)#exit

to associate the ports this configuration commands:

NLISw1(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association

NLISw1(config-if)#switchport private-vlan host-association 100 ?
<1006-4094> Secondary extended range VLAN ID of the private VLAN host port
association
<2-1001> Secondary normal range VLAN ID of the private VLAN host port
association

so the Commands are:

NLISw1(config-if)#int f0/3
NLISw1(config-if)#switchport private-vlan host-association 100 20
NLISw1(config-if)#int f0/4
NLISw1(config-if)#switchport private-vlan host-association 100 10

!!!Configure the promiscuous port
!!!Switch(config)# interface fastethernet 2/1
!!!Switch(config-if)# switchport mode private-vlan promiscuous
!!!Switch(config-if)# switchport private-vlan mapping 100 10,20

NLISw1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous
port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous
port mapping

NLISw1(config-if)#interface F0/1
NLISw1(config-if)#switchport private-vlan mapping 100 add 10,20

NLISw1(config-if)#do show vlan private

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1
100 20 isolated Fa0/1, Fa0/3

NLISw1(config-if)#int range f0/3 – 4
NLISw1(config-if-range)#switchport private-vlan host-association 100 10
NLISw1(config-if-range)#
rack10>4
[Resuming connection 4 to R4 … ]

R4#ping 10.10.255.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#
R4#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
R4#

interface FastEthernet0/3
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end

NLISw1(config-if-range)#do show run int f0/4
Building configuration…

Current configuration : 117 bytes
!
interface FastEthernet0/4
switchport private-vlan host-association 100 10
switchport mode private-vlan host
end

NLISw1(config-if-range)#do show vlan priva

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1, Fa0/3, Fa0/4
100 20 isolated Fa0/1

NLISw1(config-if-range)#

Now,

NLISw1(config-if)#interface FastEthernet0/3
NLISw1(config-if)# switchport private-vlan host-association 100 20
NLISw1(config-if)#do show run int f0/3
Building configuration…

Current configuration : 117 bytes
!
interface FastEthernet0/3
switchport private-vlan host-association 100 20
switchport mode private-vlan host
end

NLISw1(config-if)#do show vlan priva

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 10 community Fa0/1, Fa0/4
100 20 isolated Fa0/1, Fa0/3

so from R3 now

R3#ping 10.10.255.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R3#ping 10.10.255.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R3#ping 10.10.255.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.4, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
R3#

So up to here Vlan 10 is a community vlan, Vlan 20 is an isolated vlan
and we have it assigned to port f0/3 as Isolated and f0/4 as community
and port f0/1 is configured to be a promiscous port, if you want to make this comparation like in a data center, you can think that R3 is a host from Customer A and R4 is for Customer B R1 would be then the Gateway from that POP.

A Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s