In this article we will take a look at what is
required to configure private VLANs on Cisco equipment. But
firstly we need to be clear about what VLAN and private VLAN are.
A Virtual Local Area Network, or VLAN, provides
the ability to logically separate a LAN the same way that would be possible
with multiple physical switches. For example, if an engineer had four different
physical switches, each of the switches could be connected to separate
departments within a company. Without an interconnection or a routing device,
the devices within each department would not be able to send traffic to each
other and would typically be put into different subnets. A VLAN takes this
ability to separate devices, but does it logically instead of physically; a
separate VLAN can be created for each department and the physical ports that
connect these devices can be configured into the correct VLAN. It is important
to keep in mind however that the same rules apply to VLANs as physical LANs;
that is in order to communicate between them a routing device is required and
separate subnets should be assigned to the devices in each VLAN.
The private VLAN feature provides the
ability to extend the capabilities of a “standard” VLAN. It does this by
introducing some additional concepts: Primary VLAN, Community VLAN and Isolated
VLAN. The Primary VLAN should be considered the Master in the master/slave
relationship with the other two sub-types. Switch ports assigned within the
primary VLAN are able to see traffic from all devices within the primary VLAN
and all sub-types (also referred to as secondary VLANs).
Both Community and Isolated VLANs should be
considered slaves in the master/slave relationship with the primary VLAN.
Switchports assigned to a Community VLAN can see traffic from all other devices
in the same Community VLAN and can send traffic back and forth with devices in
the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic
back and forth with devices in the primary VLAN, but CANNOT see traffic from
other devices in the same Isolated VLAN.
It is important to understand that
regardless of the VLAN assignment of the switchport, all of the devices will
share the same IP subnet; the private VLAN feature just sets up rules as to
which devices are able to speak to each other.
Configuration Basics
The first thing that needs to be reviewed
is how the concepts of primary, community and isolated VLANs translate to a
physical implementation of private VLANs. Switchports that are
going to be used by the private VLAN feature are separated
into three different categories: Promiscuous, Community, and Isolated. A promiscuous
switchport is able to see the traffic from all other promiscuous
switchports as well as all secondary switchport types (community and isolated).
If the reader has just come from the private VLANs concepts article, the
switchports assigned as promiscuous exist within the primary VLAN and map to
the secondary VLANs.
VLAN Configuration
The first phase in private VLAN
configuration is to set up the VLANs that will be used and assign them to a
specific type. It is important to note that one caveat to using the private VLAN
feature is it is not compatible with the Virtual Trunking Protocol (VTP); due to this the first thing that
must be done is to configure the switch into VTP transparent mode.
|
Enter privileged mode.
|
router>enable
|
|
Enter global configuration mode
|
router#configure terminal
|
|
Configure VTP Transparent Mode.
|
router(config)#vtp mode transparent
|
The next step is to configure the VLANs as
specific private VLAN types.
|
Enter VLAN configuration mode for the
secondary VLAN.
|
router(config)#vlan vlan-id
|
|
Configure the VLAN as a private secondary
VLAN.
|
router(config-vlan)#private-vlan [isolated |community]
|
|
Enter VLAN configuration mode for the
primary VLAN.
|
router(config-vlan)#vlan vlan-id
|
|
Configure the VLAN as a primary VLAN.
|
router(config-vlan)#private-vlan
primary
|
Once all of the VLANs have been configured,
the primary and secondary VLANs must be associated together.
|
Associate the primary VLAN with secondary
VLANs.
The secondary-vlan-list parameter
is typically a range (using ‘-‘) or a comma separated list. No spaces are
allowed.
|
router(config-vlan)#private-vlan
association [add |remove] secondary-vlan-list
|
Switchport Configuration
The second phase involves the configuration
of the physical switchports, what type of privateVLAN they are and
how they are associated with the VLANs. This article will show the
configuration of the switchports assigned to the secondary private VLANs
first.
The first thing to do is to configure the
switchport as a host (this includes community and isolated
switchports).
|
Enter interface configuration mode.
|
router(config-vlan)#interface interface-id
|
|
Configure the interface as a host
interface.
|
router(config-if)#switchport mode
private-vlan host
|
The next thing to do is associate the
switchport with the primary and secondary VLANs that were configured in the
previous section.
|
Associate the interface with a primary
and secondary VLAN
|
router(config-if)#switchport
private-vlan host-association primary-vlan secondary-vlan
|
The configuration of the switchports in the
primary VLAN now has to be completed.
|
Enter interface configuration mode.
|
router(config-if)#interface interface-id
|
|
Configure the interface as a
promiscuous interface
|
router(config-if)#switchport mode
private-vlan promiscuous
|
This switchport then has to be mapped to
all of the associated primary and secondary VLANs.
|
Associate the interface with a primary
VLAN and all secondary VLANs
The secondary-vlan-list parameter
is typically a range (using ‘-‘) or a comma separated list. No spaces are
allowed.
|
router(config-if)#switchport
private-mode mappingprimary-vlan {add | remove} secondary-vlan-list
|
This completes the layer-2 configuration
of private VLANs; if only layer-2 connectivity is required
then the next section is not required.
Layer-3 Connectivity
As with a normal VLAN, private VLANs
will only allow communications within the configured VLANs (according to
the private VLAN rules), but to speak to devices outside this
VLAN structure a layer-3 device is required. In many situations, this layer-3
functionality is also provided by the switch (assuming this is a layer-3
capable switch). This section shows the additional configuration that is
required to have the switch provide layer-3 functionality to the switchports
configured with theprivate VLAN feature.
This additional configuration is simple and
just adds a single configuration command to the primary VLAN interface.
|
Enter VLAN (SVI) interface configuration
mode.
|
router(config)#interface vlan primary-vlan-id
|
|
Associate the secondary VLANs with the
SVI.
The secondary-vlan-list parameter
is typically a range (using ‘-‘) or a comma separated list. No spaces are
allowed.
|
router(config-if)#private-vlan
mapping {add | remove}secondary-vlan-list
|
Once an engineer has a firm understanding
of private VLAN concepts it is rather simple to translate this
understanding to the configuration portion of private VLANs.
There are a number of different applications for the private VLAN
feature that an engineer can take advantage of, and hopefully these two
articles will make it easier to understand how they can be put to use.
More
Network and Cisco Tips:
