CCNP SWITCH: Private VLANs (PVLAN)

 

Private VLANs (PVLAN) prevent layer 2 connectivity between hosts on a switch in the same VLAN/subnet; this provides security and removes the need to re-IP address. This is useful in certain scenarios when it is not desirable for the host machines to be able to communicate with each other e.g DMZ or ISP environments (web hosting). In an enterprise environment with multiple services in a DMZ a server may have no need to communicate with another server in a DMZ, a PVLAN can be configured to isolate the servers from one another whilst permitting traffic to the upstream router/firewall.

Primary VLAN

Consists of multiple secondary Private VLANs
Carries traffic from promiscuous ports to isolated, community and other promiscuous ports in the same Primary Private VLAN

Secondary Private VLAN

Is a child VLAN of the Primary and can be mapped to only one Primary Private VLAN
Uses the same IP subnet as the Primary Private VLAN
The hosts are assigned to the Secondary Private VLAN

PVLAN has three port types:-

Community: Multiple Community PVLANs permitted. Hosts in the same Community PVLAN communicate with themselves and with promiscuous ports NOT isolated or other Communities.

Isolated: Isolated ports can only communicate with Promiscuous port(s) but NOT other hosts in the same Isolated PVLAN or Community PVLANs. Only one Isolated per PVLAN (only one required)

Promiscuous: Communicates with all ports (Promiscuous, Isolated and Community) within the PVLAN. Promiscuous ports usually for router or firewall devices. Only one Promiscuous port per Primary PVLAN

 

Configuring Private VLAN s

 

The lab scenario below replicates a simple DMZ environment with multiple servers providing services to the internet. There are 3 servers: – SVR1 does not need to communicate with any other server in the DMZ, SVR2 and SVR3 need to communicate with each other. There are two switches and one firewall. A trunk link is configured between the 2 switches, the firewall plugged into SWI1.

  • Both switches will be configured with identical Primary and Secondary VLANs
  • A trunk link will be configured between the 2 switches
  • The interface the firewall will be plugged into will be configured as a Promiscuous port
  • The interface SVR1 is plugged into will be configured in the Isolated PVLAN
  • The interfaces SVR2 and SVR3 and plugged into will be configured in the same Community PVLAN

 

 


 

The following configuration needs be configured on both switches

Set the switch to VTP transparent mode
vtp mode transparent

Configure the Primary VLAN
vlan 100
private-vlan primary

Create the Secondary VLANs
vlan 101
private-vlan isolated
vlan 102
private-vlan community

Associated the Secondary VLANs to the Primary VLAN
vlan 100
private-vlan association 101-102

Configure the Trunk link between the 2 switches
interface gigabitethernet 0/1
switchport trunk encapsulation dot1q
switchport mode trunk

Configure the Promiscuous port the firewall will be plugged into and map the Primary (100) and Secondary VLANs (101 and 102)

interface fastethernet 0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 101-102

Configure the port for SVR1 in the Isolated PVLAN (101) and map the Primary VLAN (100) to Secondary VLAN (101)
interface fastethernet 0/2
switchport mode private-vlan host
switchport private-vlan host-association 100 101

Configure the port for SVR2 and SVR3 in the Community PVLAN (102) and map the Primary VLAN (100) to Secondary VLAN (102)
interface fastethernet 0/8
switchport mode private-vlan host
switchport private-vlan host-association 100 102

 

Final Configuration

 

The final configuration of Private VLANs on SWI1

hostname SWI1
!
vtp mode transparent
!
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan isolated
!
vlan 102
private-vlan community
!
interface FastEthernet0/1
switchport private-vlan host-association 100 102
switchport mode private-vlan host
spanning-tree portfast
interface FastEthernet0/2
switchport private-vlan host-association 100 102
switchport mode private-vlan host
spanning-tree portfast
!
interface FastEthernet0/8
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk

 

Testing

For testing we should be able to ping the firewall from SVR1, SVR2 and SVR3.
SVR1 should be able to ping the firewall but NOT ping SVR2 and SVR3
SVR2 and SVR3 should be able to ping the firewall and each other but NOT ping SVR1

 

Show Commands

The command to show all PVLANs and interface mappings is “show vlan private-vlan“. You can see from the screenshot below the ports associated to each of the PVLANs, notice that Fa0/8 is assigned to each PVLAN this is because it is the promiscuous port.

You can view the PVLAN information per interface using the command
show interface fastethernet 0/1 switchport”. This will indicate what mode the interface is configured as (host or promiscuous) and the Primary and Secondary PVLAN assignments.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s