Private VLANs Revisited _ CCIE Blog

Blog Home | INE Home | Members | Contact Us | Subscribe

Free Resources

View Archives

All Access Pass

CCIE Bloggers

Jul14

Private VLANs Revisited63 CommentsPosted by Petr Lapukhov, 4xCCIE/CCDE in Advanced Security,Security,Switching

Due to the non-decreasing interest to the post about Private VLANs, I decided tomake another one, more detailed – including a diagram and verification techniques.

Introduction

To begin with, recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs)allow splitting the domain into multiple isolated broadcast “subdomains”, introducingsub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly witheach other – they require a L3 device to forward packets between separate broadcastdomains. The same restriction applies to PVLANS – since the subdomains are isolated atLevel 2, they need to communicate using an upper level (L3/packet forwarding) device – suchas router.

In reality, different VLANs normally map to different IP subnets. When we split a VLAN usingPVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need touse a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). In turn,the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co-location,where it’s beneficial to put multiple customers into the same IP subnet, yet provide a goodlevel of isolation between them.

Private VLANs Terminology

Private VLANs Revisited | CCIE Blog http://blog.internetworkexpert.com/2008/07/14/private-vlans-revisited/

1 of 14 9/30/2011 12:44 PM

The following is the reference diagram that we are going to use to illustrate Private VLANconcepts and functionality.

For our sample configuration, we take VLAN 1000 and divide it into three PVLANs –sub-VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue.We name VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based ontheir types:

Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to sendand receive L2 frames from any other port on the VLAN.Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e.,they are “stub” port. You commonly see these ports connecting to hosts.Community (“C”) port: Community ports are allowed to talk to their buddies, sharing thesame community (group) and to “P”-ports.

In order to implement sub-VLAN behavior, we need to define how packets are forwardedbetween different types of ports. We group the VLANs in “Primary” and “Secondary”.

Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward framesdownstream from “P”-ports to all other port types (“I” and “C” ports) in the system.Essentially, Primary VLAN embraces all ports in the domain, but only transports framesfrom the router to hosts (from “P” to “I” and “C”).Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolatedports do not exchange frames with each other, we can use just ONE isolated VLAN toconnect all I-Port to the P-port.


2 of 14 9/30/2011 12:44 PM

Secondary Community VLANs: Transport frames between community ports (C-ports)within to the same group (community) and forward frames upstream to the P-ports of theprimary VLAN.

How Private VLANs Work

Here are the key aspects of Private VLAN functioning:

The Primary VLAN delivers frames downstream from the router (promisc port) to allmapped hosts.The Isolated VLAN transports frames from the stub hosts upstream to the routerThe Community VLANs allow bi-directional frame exchange withing a single group, inaddition to forwarding frames upstream towards “P”-ports.Ethernet MAC address learning and forwarding procedure remain the same, as well asbroadcast/multicast flooding procedure within boundaries of primary/secondary VLANs.

Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, justas with regular VLANs, and the primary VLAN traffic is trunked as well. However, you need toconfigure Private VLAN specific settings (bindings, mappings) on every participating swtich,as it’s not possible to use VTPv2 to dissiminate that information . This due to the fact thatVTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcomethis limitation among others.

Configuring Private VLANs

We have primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) andCommunity VLAN 1034 (R3, R4).

Step 1:

First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primaryand Secondary VLANs and bind them into PVLAN domain:

SW1:vtp mode transparent!! Creating primary VLAN, which is shared among secondary’s!vlan 1000 private-vlan primary

!! Community VLAN for R1 and R2: allows a “subVLAN” within a Primary VLAN!vlan 1012 private-vlan community!! Community VLAN for R3 and R4!vlan 1034 private-vlan community

!


3 of 14 9/30/2011 12:44 PM

! Isolated VLAN: Connects all stub hosts to router.! Remember - only one isolated vlan per primary VLAN.! In our case, isolates R5 only.!vlan 1055 private-vlan isolated

!! Associating the primary with secondary’s!vlan 1000 private-vlan association 1012,1034,1055

This step is needed is to group PVLANs into a shared domain and establish a formalassociation (for syntax checking and VLAN type verifications). Repeat the same operationson SW2, since VTP has been disabled.

Step 2:

Configure host ports and bind them to the respective isolated PVLANs. Note that a host portbelongs to different VLANs at the same time: downstream primary and upstreamsecondary. Also, enable trunking between switches, to allow private VLANs traffic to passbetween switches.

SW1:!! Community port (links R1 to R2 and “P”-ports)!interface FastEthernet0/1 description == R1 switchport private-vlan host-association 1000 1012 switchport mode private-vlan host spanning-tree portfast

!! Community port (links R3 to R4 and “P”-ports)!interface FastEthernet0/3 description == R3 switchport private-vlan host-association 1000 1034 switchport mode private-vlan host spanning-tree portfast

!! Isolated port (uses isolated VLAN to talk to “P”-ports)!interface FastEthernet0/5 description == R5 switchport private-vlan host-association 1000 1055 switchport mode private-vlan host spanning-tree portfast

!! Trunk port!interface FastEthernet 0/13 switchport trunk encapsulation dot1q switchport mode trunk

SW2:interface FastEthernet0/2


4 of 14 9/30/2011 12:44 PM

description == R2 switchport private-vlan host-association 1000 1012 switchport mode private-vlan host spanning-tree portfast!interface FastEthernet0/4 description == R4 switchport private-vlan host-association 1000 1034 switchport mode private-vlan host spanning-tree portfast

!! Trunk port!interface FastEthernet 0/13 switchport trunk encapsulation dot1q switchport mode trunk

Next, Verify the configuration on SW1:

Rack1SW1#show vlan id 1012

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1012 VLAN1012 active Fa0/13

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------1012 enet 101012 1500 - - - - - 0 0

Remote SPAN VLAN----------------Disabled

Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1012 community Fa0/1





Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1034 community Fa0/3





5 of 14 9/30/2011 12:44 PM


Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1055 isolated Fa0/5

Rack1SW1#show interfaces fastEthernet 0/13 trunk

Port Mode Encapsulation Status Native vlanFa0/13 desirable 802.1q trunking 1

Port Vlans allowed on trunkFa0/13 1-4094

Port Vlans allowed and active in management domainFa0/13 1,1000,1012,1034,1055

Port Vlans in spanning tree forwarding state and not prunedFa0/13 1,1000,1012,1034,1055

Verify on SW2:





Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1012 community Fa0/2, Fa0/61000 1034 community Fa0/4, Fa0/61000 1055 isolated Fa0/6





Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1012 community Fa0/2, Fa0/6



6 of 14 9/30/2011 12:44 PM




Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1034 community Fa0/4, Fa0/6





Primary Secondary Type Ports------- --------- ----------------- ------------------------------------------1000 1055 isolated Fa0/6

Rack1SW2#show interface fastEthernet 0/13 trunk

Port Mode Encapsulation Status Native vlanFa0/13 desirable 802.1q trunking 1

Port Vlans allowed on trunkFa0/13 1-4094

Port Vlans allowed and active in management domainFa0/13 1,1000,1012,1034,1055

Port Vlans in spanning tree forwarding state and not prunedFa0/13 1,1000,1012,1034,1055

Step 3:

Create a promiscuous port and configure downstream mappings. Here we add secondaryVLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to sendtraffic downstream to all “C” and “I” ports per their associations.

SW2:!! Promiscuous port, mapped to all secondary VLANs!interface FastEthernet0/6 description == R6 switchport private-vlan mapping 1000 1012,1034,1055 switchport mode private-vlan promiscuous spanning-tree portfast


7 of 14 9/30/2011 12:44 PM

Verify the promiscuous port configuration:

Rack1SW2#show int fa 0/6 switch | beg privateAdministrative Mode: private-vlan promiscuousOperational Mode: private-vlan promiscuousAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: OffAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)Administrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk private VLANs: noneOperational private-vlan: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)

If you need to configure an SVI on a switch to communicate with private VLAN members, youshould add an interface corresponding to Primary VLAN only. Obviously that’s because allsecondary VLANs are “subordinates” of primary. After an SVI has been created, you have tomap the required secondary VLANs to the SVI (just like with a promiscuous port) in order tomake communications possible. You may exclude some mappings from SVI interface, andlimit it to communicating only with certain secondary VLANs.

SW1:!! SW1 SVI is mapped to all secondary VLANs!interface Vlan 1000 ip address 10.0.0.7 255.255.255.0 private-vlan mapping 1012,1034,1055

SW2:!! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5!interface Vlan1000 ip address 10.0.0.8 255.255.255.0 private-vlan mapping 1012,1034

Now to verify the configuration, configure R1-R6 interfaces in subnet “10.0.0.0/24” and pingbroadcast addresses.

Rack1R1#ping 10.0.0.255 repeat 1

Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:

Reply to request 0 from 10.0.0.7, 4 msReply to request 0 from 10.0.0.2, 4 msReply to request 0 from 10.0.0.6, 4 msReply to request 0 from 10.0.0.8, 4 ms



8 of 14 9/30/2011 12:44 PM


Reply to request 0 from 10.0.0.7, 4 msReply to request 0 from 10.0.0.4, 4 msReply to request 0 from 10.0.0.6, 4 msReply to request 0 from 10.0.0.8, 4 ms



Reply to request 0 from 10.0.0.7, 1 msReply to request 0 from 10.0.0.6, 1 ms



Reply to request 0 from 10.0.0.1, 4 msReply to request 0 from 10.0.0.7, 4 msReply to request 0 from 10.0.0.2, 4 msReply to request 0 from 10.0.0.5, 4 msReply to request 0 from 10.0.0.3, 4 msReply to request 0 from 10.0.0.4, 4 msReply to request 0 from 10.0.0.8, 4 ms

Lastly, there is another feature, called protected port or “Private VLAN edge”. The feature ispretty basic and is available even on low-end Cisco switches. It allows isolating ports in thesame VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited fromsending frames to each other (but still allowed to send frames to other (non-protected) portswithin the same VLAN). Usually, ports configured as protected are also configured not toreceive unknown unicast (frame with destination MAC address not in switch’s MAC table) andmulticast frames flooding for added security.

Example:

interface range FastEthernet 0/1 - 2 switchport mode access switchport protected switchport block unicast switchport block multicast

Tags: 3560, arp, ccie, community, isolated, level2, private-vlan, promiscuous, vlan

Download this page as a PDF

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, andprogressed into networking with his first exposure to Novell NetWare in 1991. Initially involved


9 of 14 9/30/2011 12:44 PM

with Kazan State University's campus network support and UNIX system administration, hewent through the path of becoming a networking consultant, taking part in many networkdeployment projects. Petr currently has over 12 years of experience working in the Cisconetworking field, and is the only person in the world to have obtained four CCIEs in under twoyears, passing each on his first attempt. Petr is an exceptional case in that he has beenworking with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, andVoice) on a daily basis for many years. When not actively teaching classes, developingself-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, andcompleting his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website

You can leave a response, or trackback from your own site.

63 Responses to “Private VLANs Revisited”

« Older Comments

Fadi Ashour says:October 28, 2010 at 9:12 pm

Great article. I am having an issue understanding why hosts in differentcommunity/isolated vlans cannot reach each other even though there is mapping for allof them on the promiscous port. Am I missing something?? I thought they can reacheach other if they go through L3 device.

Reply

1.

Ian Finlayson says:December 1, 2010 at 9:37 am

Great article as always Petr!!!

Is it possible so to define a promisc port that is only visible to certain communities andIsolated VLANs, i.e. only add in the relevant mapping on the promisic port for certainsecondary VLANs???

On another note before I forget about it. I am in about week 6 of your 48 week program –any more updates coming for this at all as its great??

Cheers,Ian.

Reply

2.

Recurso de INE en "CCIE en castellano" says:December 8, 2010 at 3:37 pm

3.


10 of 14 9/30/2011 12:44 PM

[...] Understanding Private VLANs [...]

Reply

Sean says:December 9, 2010 at 12:45 pm

So when you make a sub-vlan of 1034 are you no longer allowed to use vlan 1034 sincethe way you configure it is the same… I was thinking for a second that I could use thistechnology to use this to merge two vlans (like bridge groups). I want vlan 700 and vlan10 in my situatoin to be the same vlan on a switch (i am doing some vmware stuff anddon’t have 100% control of this association)

Reply

4.

CiscoCertified says:December 10, 2010 at 11:22 pm

Great man. you are the one

I was having issue with PVLAN & VACL, now I have issue only with VACL. These 2topics are badly documented in Cisco.com

is there any plan for similar articles about VACL??

Thanks again

Reply

5.

david aladetan says:January 8, 2011 at 1:25 am

this guy (Petr Lapukhov, 4xCCIE/CCDE) is just too much. very impressed with your depthof knowledge and excellent explanations of difficult subject

Reply

6.

Jamshed Khan Afridi says:January 24, 2011 at 10:03 pm

Really great article for understanding Private VLANS.

Reply

7.

Gabriel Bryson says:January 27, 2011 at 3:08 am

HI PetrIn the example you gave why was it necessary to create a SVI on both switches, wouldcreating a SVI on only one of the switches be enough as a subnet gateway as all the

8.


11 of 14 9/30/2011 12:44 PM

secondary vlans span both switches within the trunk.ThanksGabriel Bryson

Reply

Zaheer says:September 20, 2011 at 10:28 am

Peter,

Thanks very much for the explaination by example and mentioning it’s link in Vol2.

Zaheer

Reply

9.

« Older Comments

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Search

Categories


12 of 14 9/30/2011 12:44 PM

CCIE Bloggers

Brian Dennis CCIE #2210Routing & SwitchingISP DialSecurityService ProviderVoice

Brian McGahan CCIE #8593


13 of 14 9/30/2011 12:44 PM

Routing & SwitchingSecurityService Provider

Petr Lapukhov CCIE #16379Routing & SwitchingSecurityService ProviderVoice

Mark Snow CCIE #14073VoiceSecurity

Popular Posts

CCNP Voice Trivia Contest :: LDAP Custom FiltersAll Access Pass - New Bookmarking and Note-Taking FeatureNew Product Feedback & Bug Submission Tool

twitter.com/inetrainingFollow

© 2010 Internetwork Expert, Inc., All Rights Reserved


14 of 14 9/30/2011 12:44 PM

Documents

Private VLANs Revisited _ CCIE Blog