Private Vlans Explained

Introduction to Private Vlans

A normal Vlan is essentially a broadcast domain and all the devices if addressed on the same subnet can communicate with each other. In shared hosting environments, to save on IP address space and Vlans it would be great if you could isolate devices within the same vlan and prevent them from communicating with each other. If a server from company A was compromised you would not want it being able to talk to a server from company B within the same Vlan.

One solution to this problem is protected ports but this only works across a single switch, if you require device isolation within a vlan across multiple switches you are going to need to use a Private Vlan.

Private Vlans Explained

For the rest of this post I will be using the topology below.

PRIVATE VLAN TERMS

There are three types of ports within private vlans, Promiscuous, Community and Isolated.

• PROMISCUOUS – A promiscuous port is normally the way out of the network and all ports within the private vlan can talk to the promiscuous port on Layer 2.
• COMMUNITY – A community port can talk to other community ports, the promiscuous port but not to an isolated port.
• ISOLATED – An isolated port cannot talk to anything except the promiscuous port.

There are then two types of Vlan used to enable communication between the different private vlan types, a primary vlan and secondary vlan.

• PRIMARY VLAN – This is the main vlan used to provide communication to the promiscuous port and to the isolated port
• SECONDARY VLAN ISOLATED – This vlan carries the traffic from the Isolated ports to the promiscuous port – you only need one.
• SECONDARY VLAN COMMUNITY – This vlan carries the traffic from the community Vlan to the promiscuous port, you can have multiple community vlans.

Private Vlan Configuration

Now you have an understanding of the basic terminology we are going to configure the private vlans defined in the diagram above.

We need to ensure there are two vlans configured on both switches.

We will make the promiscuous vlan 500, the community vlan 600 and the isolated vlan 999

First you need to ensure the switch is running in vtp transparent mode

Next we need to define the vlan, as the switch is running in transparent mode we have to do this on both switches, we could have configured the vlans first while the switches were running vtp. You just need to ensure that the vlans you are using for private vlans exist on both switches and also any switches that may be in the transit path.

We now need to make vlan 500 the primary vlan – you can see from the ? the options available for configuring private vlans we will be exploring all of these.

Next we will make vlan 600 a community vlan and vlan 999 and isolated vlan

We now need to associate the primary and secondary vlans together, this needs to be done on both switches.

Defining the host ports

Now the vlan configuration has been done we need to define the host ports with a switchport private vlan host association. Port Fa0/1 on SW1 connects to R1 and  Fa0/1 on SW2 connects to R2 these are going to be associated with the community vlan and the primary. The port will also be defined as a private-vlan host.

The same needs to be done on SW2

Finally we need to do the same for R3 and R4 however for these routers they are going to associated with the Isolated Vlan which means they will not be able to talk to each other but only with the promiscuous port.

The same again on SW2 for R4

Verify the Private Vlan Configuration

To verify your work you can run the show vlan private-vlan command and show vlan private-vlan type.

For the complete information on private vlan configuration the full Cisco Documentation for the 3560 switch which is what I was working on can be found here: www.cisco.com/…configuration/guide/swpvlan.html