Private VLAN: Concept and Cisco IOS/F10 configuration

  • Why we need private VLAN:
    • All hosts in a single VLAN can communicate with each other via L2. There may be situations where we need hosts in a vlan shouldn’t communicate with each other in the same VLAN.
    • Example: In hotel environment. Ports connected to each room will be part of same vlan. Yet one user in a room shouldn’t see the packets from other room users.
    • Service provider hosting many customers server in their server-farm. Each customer should be isolated yet they are connected in same vlan.
    • Solution for above examples may be:  Configure each interface in different L3 VLAN. Not an ideal solution as IP address will be wasted and may hit the limitation of 4095 vlan IDs.
  • Ports in a private vlan can be:
    • Promiscuous: Can communicate will all ports in the private VLAN. This port may be connected to L3 router/gateway or firewall.
    • Isolated – This port cannot communicate with other ports in the private VLAN except promiscuous port.
    • Community – Can communicate with other ports in the same community but not with isolated or other community ports.
    • Inter-switch link port – Trunk Port, which can carry primary and secondary VLAN IDs and used to extend the private VLAN behavior to other switches.
  • Terminologies:
    • Primary VLAN:
      • Carries traffic from promiscuous port to isolated/community ports and to other promiscuous ports in the same primary VLAN.
    • Secondary VLAN:
      • Isolated VLAN:
        • Carries traffic from isolated ports to promiscuous ports.
      • Community VLAN:
        • Carries traffic from one community port to other ports in same community vlan and to promiscuous ports.
  • There can be more than one promiscuous port in primary VLAN.
  • A promiscuous port can serve only one primary VLAN.
  • There can be only one isolated and one or many community vlan associated to a primary VLAN.
  • A community or isolated vlan can be mapped to only one primary VLAN.
  • VLAN tag behavior in Private VLAN:
    • Isolated port will accept packet from Inter-switch link port only if it tagged to primary VLAN. (eg: packet from promiscuous port in other switch)
    • Community port will accept packet from Inter-switch link port if it is tagged to primary VLAN (packet from promiscuous port in other switch) or community vlan-secondary VLAN ID (packet from members of own community in other switch).
    • Packet from community port will be sent out of trunk port (Inter-switch link port) with secondary VLAN ID (community vlan ID) tagged.
    • Packet from isolated port will be sent out of trunk port (Inter-switch link port) with secondary VLAN ID (isolated vlan ID) tagged.
    • Packet from promiscuous port will be sent out of trunk port with primary VLAN ID tagged.

Sample configuration: – Cisco IOS:

< Vlan 5 is Primary VLAN. Vlan 10 is isolated VLAN. Vlan 15 is community VLAN. Port 2/22 is promiscuous port. 2/23 is isolated port. 2/24 and 2/25 are community ports>

!

vlan 5

private-vlan primary

private-vlan association 10,15

!

vlan 10

private-vlan isolated

!

vlan 15

private-vlan community

!

interface GigabitEthernet2/22

description promiscuous-port

switchport

switchport private-vlan mapping 5 10,15

switchport mode private-vlan promiscuous

!

interface GigabitEthernet2/23

description isolated-port-vlan-10

switchport

switchport private-vlan host-association 5 10

switchport mode private-vlan host

!

interface GigabitEthernet2/24

description community-port-vlan-15

switchport

switchport private-vlan host-association 5 15

switchport mode private-vlan host

!

interface GigabitEthernet2/25

description community-port-vlan-15

switchport

switchport private-vlan host-association 5 15

switchport mode private-vlan host

!

#show run int vlan 5

interface Vlan5

description l3-primary-vlan

ip address 1.1.1.1 255.255.255.0

private-vlan mapping 10,15

end

#show vlan private-vlan

Primary Secondary Type              Ports

------- --------- ----------------- ------------------------------------------

5       10        isolated          Gi2/22, Gi2/23

5       15        community         Gi2/22, Gi2/24, Gi2/25

#

Below error message will be displayed with above configuration due to “12/24-port restriction”. Ie: we shouldn’t have community/isolated ports within 12 port-set which have a promiscuous port already configured.

“%PM-SP-3-ERR_INCOMP_PORT: 2/23 is set to inactive because 2/22 is a promiscuous port”

Sample configuration:  Force10

<Vlan 10 is Primary VLAN. Vlan 20 is community VLAN. Vlan 30 is isolated VLAN.

Port 0/23 is promiscuous. 0/24 is community port. 0/25 is isolated port. 0/26 is trunk port>

F10(conf-if-vl-10)#sho conf

!

interface Vlan 10

private-vlan mode primary

private-vlan mapping secondary-vlan 20,30

no ip address

tagged GigabitEthernet 0/23,26

no shutdown

F10(conf-if-gi-0/23)#sho conf

interface GigabitEthernet 0/23

no ip address

switchport

switchport mode private-vlan promiscuous

no shutdown

F10(conf-if-gi-0/26)#sho conf

interface GigabitEthernet 0/26

no ip address

switchport

switchport mode private-vlan trunk

no shutdown

F10(conf-if-vl-20)#sho conf

!

interface Vlan 20

private-vlan mode community

no ip address

tagged GigabitEthernet 0/24

no shutdown

F10(conf-if-gi-0/24)#sho conf

!

interface GigabitEthernet 0/24

no ip address

switchport

switchport mode private-vlan host

no shutdown

F10(conf-if-vl-30)#sho conf

!

interface Vlan 30

private-vlan mode isolated

no ip address

tagged GigabitEthernet 0/25

no shutdown

F10(conf-if-gi-0/25)#sho conf

!

interface GigabitEthernet 0/25

no ip address

switchport

switchport mode private-vlan host

no shutdown

!

References:

http://tools.ietf.org/html/rfc5517

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/pvlans.html

Advertisements
This entry was posted in Force10, IOS, L2 switch and tagged , , , . Bookmark the permalink.

3 Responses to Private VLAN: Concept and Cisco IOS/F10 configuration

  1. Jamie says:

    Nice breakdown. Could have sifted through sample configs for hours before I got as much useful info as as found in this post. Thanks.

    Like

  2. Pingback: L2 Security « Internet Protocols

  3. venkee says:

    This seems to be giving clear picture of what private vlan does with, in contrast to normal vlan. Thanks for this….

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s