Introduction to Private Vlans
Page Contents
A normal Vlan is essentially a broadcast domain and all the devices if addressed on the same subnet can communicate with each other. In shared hosting environments, to save on IP address space and Vlans it would be great if you could isolate devices within the same vlan and prevent them from communicating with each other. If a server from company A was compromised you would not want it being able to talk to a server from company B within the same Vlan.
One solution to this problem is protected ports but this only works across a single switch, if you require device isolation within a vlan across multiple switches you are going to need to use a Private Vlan.
Private Vlans Explained
For the rest of this post I will be using the topology below.
PRIVATE VLAN TERMS
There are three types of ports within private vlans, Promiscuous, Community and Isolated.
- PROMISCUOUS - A promiscuous port is normally the way out of the network and all ports within the private vlan can talk to the promiscuous port on Layer 2.
- COMMUNITY - A community port can talk to other community ports, the promiscuous port but not to an isolated port.
- ISOLATED - An isolated port cannot talk to anything except the promiscuous port.
There are then two types of Vlan used to enable communication between the different private vlan types, a primary vlan and secondary vlan.
- PRIMARY VLAN - This is the main vlan used to provide communication to the promiscuous port and to the isolated port
- SECONDARY VLAN ISOLATED - This vlan carries the traffic from the Isolated ports to the promiscuous port - you only need one.
- SECONDARY VLAN COMMUNITY - This vlan carries the traffic from the community Vlan to the promiscuous port, you can have multiple community vlans.
Private Vlan Configuration
Now you have an understanding of the basic terminology we are going to configure the private vlans defined in the diagram above.
We need to ensure there are two vlans configured on both switches.
We will make the promiscuous vlan 500, the community vlan 600 and the isolated vlan 999
First you need to ensure the switch is running in vtp transparent mode
SW1(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. SW1(config) SW2(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. SW2(config)#
Next we need to define the vlan, as the switch is running in transparent mode we have to do this on both switches, we could have configured the vlans first while the switches were running vtp. You just need to ensure that the vlans you are using for private vlans exist on both switches and also any switches that may be in the transit path.
SW1(config)#vlan 500,600,999 SW1(config-vlan)# SW2(config)#vlan 500,600,999 SW2(config-vlan)#
We now need to make vlan 500 the primary vlan - you can see from the ? the options available for configuring private vlans we will be exploring all of these.
SW1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN SW1(config-vlan)#private-vlan primary SW1(config-vlan)#
Next we will make vlan 600 a community vlan and vlan 999 and isolated vlan
SW1(config)#vlan 600 SW1(config-vlan)#pri SW1(config-vlan)#private-vlan com SW1(config-vlan)#private-vlan community SW1(config-vlan)#exit SW1(config)#vlan 999 SW1(config-vlan)#pri SW1(config-vlan)#private-vlan is SW1(config-vlan)#private-vlan isolated SW1(config-vlan)#
We now need to associate the primary and secondary vlans together, this needs to be done on both switches.
SW1(config)#vlan 500 SW1(config-vlan)#pri SW1(config-vlan)#private-vlan ass SW1(config-vlan)#private-vlan association 600,999 SW1(config-vlan)# SW2(config)#vlan 500 SW2(config-vlan)#pri SW2(config-vlan)#private-vlan ass SW2(config-vlan)#private-vlan association 600,999 SW2(config-vlan)#
Defining the host ports
Now the vlan configuration has been done we need to define the host ports with a switchport private vlan host association. Port Fa0/1 on SW1 connects to R1 and Fa0/1 on SW2 connects to R2 these are going to be associated with the community vlan and the primary. The port will also be defined as a private-vlan host.
SW1(config)#int fa0/1 SW1(config-if)#description to R1 SW1(config-if)#switchport priv SW1(config-if)#switchport private-vlan host SW1(config-if)#switchport private-vlan host-association 500 600 SW1(config-if)#switchport mode private-vlan host SW1(config-if)#spanning-tree portfast
The same needs to be done on SW2
SW2(config)#int fa0/1 SW2(config-if)#description to R2 SW2(config-if)#switchport priv SW2(config-if)#switchport private-vlan host SW2(config-if)#switchport private-vlan host-association 500 600 SW2(config-if)#switchport mode private-vlan host SW2(config-if)#spanning-tree portfa
Finally we need to do the same for R3 and R4 however for these routers they are going to associated with the Isolated Vlan which means they will not be able to talk to each other but only with the promiscuous port.
SW1(config)#int fa0/3 SW1(config-if)#description to R3 SW1(config-if)#switchport private-vlan host SW1(config-if)#switchport private-vlan host-association 500 999 SW1(config-if)#spanning-tree portfast
The same again on SW2 for R4
SW1(config)#int fa0/4 SW2(config-if)#description to R4 SW2(config-if)#switchport private-vlan host SW2(config-if)#switchport private-vlan host-association 500 999 SW2(config-if)#spanning-tree portfast
Verify the Private Vlan Configuration
To verify your work you can run the show vlan private-vlan command and show vlan private-vlan type.
SW1#sh vlan private-vlan Primary Secondary Type Ports ----- – – ----- – – ------------- – – ---------------------------------------- 500 600 community Fa0/1 500 999 isolated Fa0/3 SW1#sh vlan private-vlan type Vlan Type -- – – --------------- 500 primary 600 community 999 isolated
For the complete information on private vlan configuration the full Cisco Documentation for the 3560 switch which is what I was working on can be found here: www.cisco.com/...configuration/guide/swpvlan.html
