Monday 25 June 2012

Private VLANs

One of the features the Catalyst 3560 has that the 3550 doesn't have is the capacity to support Private-Vlans.  Private-VLANs are a method to partition one broadcast domain into several by combining multiple VLANs into one.

There are three types of Private-VLAN VLAN constructs
1) The Primary VLAN of which the other two are associated with, the primary VLAN would typically be associated with the Gateway router for the Private-VLAN
2) Community VLANs - hosts associated with the same community VLAN are able to talk with each other but with no one else except for hosts on the Primary VLAN
3) Isolated VLANs - hosts even on the same isolated VLAN are unable to talk with anyone except hosts on the Primary VLAN

Actually there is a form of the Isolated VLAN feature which is supported on platforms such as the 3550 which is enabled using "switchport protected" however this is local to one switch - this means in a multi-switch environment, your switchport protected ports can communicate with hosts that are on the same VLAN on other switches

This post will cover a multi-switch private VLAN configuration as shown in the topology diagram

Private-VLANs can only work when the Switch is set to VTP transparent mode.

This exercise will be using 4 VLANs
  1. VLAN 100 - Primary
  2. VLAN 200 - Isolated
  3. VLAN 300 - Community
  4. VLAN 400 - Community
Although VLAN 300 and 400 are of the same type, since they aren't in the same community they wont be able to talk to each other.  This kind of flexibility is useful in hosting environments where you want to manage your IP subnet across multiple customers but still ensure security between them without needing unwieldy ACLs to control it.

Before we get to the PVLAN config section, lets quickly list the configs on our routers

R1
hostname R1
interface FastEthernet0/0
 ip address 10.1.100.1 255.255.255.0
 no shutdown
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!

R2
hostname R2
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.2 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R3
hostname R3
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.3 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R4
hostname R4
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.4 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R5
hostname R5
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.5 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R6
hostname R6
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.6 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

Our Switches are in their vanilla configurations (wr erase and del vlan.dat before reloading) so we we need to configure them from scratch.

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW1

Ensure that we're in vtp transparent mode 


SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

Now we create the VLANs that will be used in our private-vlan and specify the type

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#vlan 200
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 300
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 400
SW1(config-vlan)#private-vlan community

Let's check the configuration
 
SW1(config-vlan)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community





VLAN 400 is not shown - whenever vlan configuration is used, the current vlan configuration is not applied until you exit it (either by configuring another VLAN or exiting VLAN config mode)

SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community
        400       community

Now that the Private VLANs have been created, an association is required - we do this by selecting the primary vlan and then attaching the isolated/community VLANs to it

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan association 200,300,400
SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Let's set up the trunk between SW1 and SW2 and then apply the same PVLAN config to SW2

SW1(config)#int fa1/0/19
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW2
SW2(config)#int fa1/0/19
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-vlan)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#vlan 100
SW2(config-vlan)#private-vlan primary
SW2(config-vlan)#vlan 200
SW2(config-vlan)#private-vlan isolated
SW2(config-vlan)#vlan 300
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 400
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 100
SW2(config-vlan)#private-vlan association 200,300,400
SW2(config-vlan)#exit
SW2(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Before we associate switch interfaces with private-vlan configurations, by default all router facing ports will be in vlan 1, let's validate we have full connectivity.


R1
R1#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/261/1012 ms
R1#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/268/1056 ms
R1#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/260/1004 ms
R1#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/262/1016 ms
R1#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/264/1044 ms


R2
R2#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/10/24 ms
R2#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1996 ms
R2#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms
R2#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1988 ms
R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3
R3#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/405/2000 ms
R3#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms
R3#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R4
R4#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
R4#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1996 ms
R4#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/16 ms
R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

R5
R5#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R5#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R5#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1992 ms
R5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R6
R6#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R6#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms


Okay, so our baseline of full connectivity between hosts has been established, we can start applying the pvlan configurations to switchports.

SW1 Fa1/0/1 (R1) - Primary VLAN (100)
SW1 Fa1/0/2 (R2) - Isolated VLAN (200)
SW1 Fa1/0/3 (R3) - Community VLAN (300)

SW2 Fa1/0/4 (R4) - Isolated VLAN (200)
SW2 Fa1/0/5 (R5) - Community VLAN (300)
SW2 Fa1/0/6 (R6) - Community VLAN (400)

SW1(config)#int fa1/0/1

This is the promiscuous port for the private-vlan (all isolated/community VLANs of the private vlan can talk with this port)

SW1(config-if)#switchport mode private-vlan promiscuous

Attach the secondary vlans (200,300,400) to the primary vlan (100)

SW1(config-if)#switchport private-vlan association mapping 100 200,300,400

Now we configure the secondary vlan interfaces

SW1(config-if)#int fa1/0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 200

SW1(config-if)#int fa1/0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 300

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/1, Fa1/0/2
100     300       community         Fa1/0/1, Fa1/0/3
100     400       community         Fa1/0/1

On SW2 we only have secondary vlan interfaces

SW2(config)#int fa1/0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 200
SW2(config-if)#int fa1/0/5
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 300
SW2(config-if)#int fa1/0/6
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 400
SW2(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/4
100     300       community         Fa1/0/5
100     400       community         Fa1/0/6

Now to test

R1 should be able to ping R2/R3/R4/R5/R6 because it's the promiscuous port (SW1 Fa1/0/1)

R1>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R1>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
R1>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2 (SW1 Fa1/0/2) should only be able to ping R1 even though R4 (SW2 Fa1/0/4) is on the same secondary VLAN as this pvlan type is isolated neither will be able to communicate with each other

R2>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R2>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3 (SW1 Fa1/0/3) should be able to ping R1 and R5 (as they are in the same community pvlan)
R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4 (SW2 Fa1/0/4) like R2 should only be able to ping R1


R4>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R5 (SW2 Fa1/0/5) should be able to ping R1 and R3 (as they are in the same community pvlan)

R5>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms
R5>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R6 (SW2 Fa1/0/6) will only be able to ping R1 currently it is the only community pvlan (400) member

R6>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So we have seen how you can use Private VLANs to partition a broadcast domain / IP subnet into multiple domains for service/security separation.

While the promiscuous port has been shown to occur on a layer 2 interface, it is also able to happen on a switched virtual interface.

to demonstrate we'll first make a slight change to R1's configuration

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip add 10.100.100.1 255.255.255.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.100.100.100
R1(config)#end

Now we'll return SW1 Fa1/0/1 to act as a regular access port in vlan 10

SW1(config)#int fa1/0/1
SW1(config-if)#no switchport private-vlan mapping 100 200,300,400
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#switchport access vlan 10

We'll create our SVI for vlan 10

SW1(config-if)#int vlan 10
SW1(config-if)#ip add 10.100.100.100 255.255.255.0
SW1(config-if)#exit

now we'll enable routing and add the static route to 1.1.1.1

SW1(config)#ip routing
SW1(config)#ip route 1.1.1.1 255.255.255.255 10.100.100.1
SW1(config)#do ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Now we need to create the SVI for vlan 100 and create the private-vlan mapping

SW1(config)#int vlan 100
SW1(config-if)#ip add 10.1.100.1 255.255.255.0
SW1(config-if)#private-vlan mapping 200,300,400

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/2
100     300       community         Fa1/0/3
100     400       community



We cant see any reference to VLAN 100 here but there is an alternate way to see the mapping

SW1(config-if)#do sh int vlan 100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan100   200, 300, 400

We'll do a verification using R3 (Only hosts on VLAN 10, 100 and 300) should be reachable

R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/20 ms
R3>ping 10.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Using the Private VLAN on the SVI enables you to to use your switch as a routing gateway for your private vlans.
Posted by Adam at 1:47 pm 0 comments
Labels: ,

Saturday 23 June 2012

OSPF and IP Unnumbered over different types of links

This post is about using OSPF to link routers where link endpoints are on completely different IP networks.

Below is the topology used in this post to capture the main link types we'll come up against in the CCIE lab - Frame Relay, PPP and Ethernet.

We shall start with the most straight forward - direct PPP over serial between R1 and R3  Each router is using Loopback0 as the only IP address on the router which is bound to Serial0/1


R1
hostname R1
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 ip ospf 1 area 0
!
interface Serial0/1
 ip unnumbered Loopback0
 encapsulation ppp
 ip ospf 1 area 0
 clock rate 2000000
 no shutdown
!

R3
hostname R3
interface Loopback0
 ip address 3.3.3.3 255.255.255.0
 ip ospf 1 area 0
!
interface Serial0/1
 ip unnumbered Loopback0
 encapsulation ppp
 ip ospf 1 area 0
 shutdown
!


Let's enable R3 S0/1 and verify that OSPF comes up



R3#deb ip ospf adj
OSPF adjacency events debugging is on
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int s0/1
R3(config-if)#no shut
R3(config-if)#
*Mar  1 00:02:19.543: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar  1 00:02:20.555: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
*Mar  1 00:02:20.559: OSPF: Interface Serial0/1 going Up
*Mar  1 00:02:20.587: OSPF: 2 Way Communication to 1.1.1.1 on Serial0/1, state 2WAY
*Mar  1 00:02:20.587: OSPF: Send DBD to 1.1.1.1 on Serial0/1 seq 0x1DAE opt 0x52 flag 0x7 len 32
*Mar  1 00:02:20.587: OSPF: Rcv DBD from 1.1.1.1 on Serial0/1 seq 0x105C opt 0x52 flag 0x7 len 32  mtu 1500 state EXSTART
*Mar  1 00:02:20.587: OSPF: First DBD and we are not SLAVE
*Mar  1 00:02:20.591: OSPF: Rcv DBD from 1.1.1.1 on Serial0/1 seq 0x1DAE opt 0x52 flag 0x2 len 52  mtu 1500 state EXSTART
*Mar  1 00:02:20.591: OSPF: NBR Negotiation Done. We are the MASTER
*Mar  1 00:02:20.591: OSPF: Send DBD to 1.1.1.1 on Serial0/1 seq 0x1DAF opt 0x52 flag 0x3 len 52
*Mar  1 00:02:20.591: OSPF: Rcv DBD from 1.1.1.1 on Serial0/1 seq 0x1DAF opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 00:02:20.595: OSPF: Send DBD to 1.1.1.1 on Serial0/1 seq 0x1DB0 opt 0x52 flag 0x1 len 32
*Mar  1 00:02:20.595: OSPF: Send LS REQ to 1.1.1.1 length 12 LSA count 1
*Mar  1 00:02:20.599: OSPF: Rcv LS REQ from 1.1.1.1 on Serial0/1 length 36 LSA count 1
*Mar  1 00:02:20.599: OSPF: Send UPD to 1.1.1.1 on Serial0/1 length 40 LSA count 1
*Mar  1 00:02:20.599: OSPF: Rcv DBD from 1.1.1.1 on Serial0/1 seq 0x1DB0 opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
*Mar  1 00:02:20.599: OSPF: Exchange Done with 1.1.1.1 on Serial0/1
*Mar  1 00:02:20.599: OSPF: Rcv LS UPD from 1.1.1.1 on Serial0/1 length 64 LSA count 1
*Mar  1 00:02:20.603: OSPF: Synchronized with 1.1.1.1 on Serial0/1, state FULL
*Mar  1 00:02:20.603: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on Serial0/1 from LOADING to FULL, Loading Done
*Mar  1 00:02:21.059: OSPF: Build router LSA for area 0, router ID 3.3.3.3, seq 0x80000002, process 1
*Mar  1 00:02:21.075: OSPF: Rcv LS UPD from 1.1.1.1 on Serial0/1 length 76 LSA count 1


So no problems here, everything came up, let's validate our IP interface and OSPF interface/neighbors

R3(config-if)#do sh ip interface Serial0/1 | i Interface|Peer
  Interface is unnumbered. Using address of Loopback0 (3.3.3.3)
  Peer address is 1.1.1.1
R3(config-if)#do sh ip ospf int brief
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Se0/1        1     0               0.0.0.0/0          64    P2P   1/1
Lo0          1     0               3.3.3.3/24         1     LOOP  0/0
R3(config-if)#do sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           0   FULL/  -        00:00:35    1.1.1.1         Serial0/1



R1#sh ip interface Serial0/1 | i Interface|Peer
  Interface is unnumbered. Using address of Loopback0 (1.1.1.1)
  Peer address is 3.3.3.3
R1#sh ip ospf nei

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           0   FULL/  -        00:00:39    3.3.3.3         Serial0/1
R1#sh ip ospf int bri
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Se0/1        1     0               0.0.0.0/0          64    P2P   1/1
Lo0          1     0               1.1.1.1/24         1     LOOP  0/0


Okay, this looks good, lets check the routing table


R1#sh ip route ospf



Hmm, we cant see anything here, we should have R3 Lo0's stub network in our ospf database..

R1#sh ip ospf data router 3.3.3.3 | s Stub
    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 3.3.3.3
     (Link Data) Network Mask: 255.255.255.255
      Number of TOS metrics: 0
       TOS 0 Metrics: 1


We do but it's not being installed in the routing table, is something else already there?

R1#sh ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via Serial0/1
      Route metric is 0, traffic share count is 1


By default, PPP installs a connected route to our peer device, not necessarily a bad thing but we would prefer to see this route originated by ospf, so lets fix that on both sides



R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int s0/1
R3(config-if)#no peer neighbor-route
R3(config-if)#end
 

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int s0/1
R1(config-if)#no peer neighbor-route

Making these changes doesn't cause the static neighbor route to be removed, so we need to bounce the link to make that happen


R1(config-if)#shut
*Mar  1 00:16:45.727: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/1 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 00:16:47.715: %LINK-5-CHANGED: Interface Serial0/1, changed state to administratively down
*Mar  1 00:16:48.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to down
R1(config-if)#no shut
*Mar  1 00:16:53.495: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar  1 00:16:54.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
*Mar  1 00:16:54.603: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Serial0/1 from LOADING to FULL, Loading Done
R1(config-if)#do sh ip int s0/1 | i Interface|Peer
  Interface is unnumbered. Using address of Loopback0 (1.1.1.1)
  Peer address is 3.3.3.3
 

Let's see how if the route comes through from ospf and is installed into the routing table

R1(config-if)#do sh ip route ospf
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 3.3.3.3, 00:00:00, Serial0/1


R1(config-if)#do ping 3.3.3.3 so 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


OSPF IP Unnumbered over Frame Relay


Between R1 and R2 we have a Frame Relay link, we are going to take advantage of implementing PPP over FR to make this happen


On R1 and R2 create the virtual-template required for PPPoFR to operate, again it's an unnumbered link associated with loopback0


R1
interface Virtual-Template1
 ip unnumbered Loopback0
 ip ospf 1 area 0
 no peer neighbor-route
!


R2
hostname R2
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip ospf 1 area 0
!
interface Virtual-Template1
 ip unnumbered Loopback0
 ip ospf 1 area 0
 no peer neighbor-route
!


Then we configure the serial interface for frame relay encapsulation and bind the virtual-template to the FR PVC.


R1
interface Serial0/0
 encapsulation frame-relay
 frame-relay interface-dlci 102 ppp Virtual-Template1
 no frame-relay inverse-arp
 no shutdown
!



R2
interface Serial0/0
 encapsulation frame-relay
 frame-relay interface-dlci 201 ppp Virtual-Template1
 no frame-relay inverse-arp
 no shutdown
!


After a short period of time R1/R2s PVC will come up and the PPP session will go active and then OSPF should start


R1#
*Mar  1 00:35:51.403: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:36:02.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
*Mar  1 00:36:51.423: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Mar  1 00:36:53.515: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
*Mar  1 00:36:53.575: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Virtual-Access2 from LOADING to FULL, Loading Done


R1#sh ip ospf int brie
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Vi2          1     0               0.0.0.0/0          1     P2P   1/1
Vt1          1     0               0.0.0.0/0          1     DOWN  0/0
Se0/1        1     0               0.0.0.0/0          64    P2P   1/1
Lo0          1     0               1.1.1.1/24         1     LOOP  0/0

Of potential interest, the PPPoFR link has a lower ospf cost than the native PPP link


R1#sh ip ospf nei


Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:37    2.2.2.2         Virtual-Access2
3.3.3.3           0   FULL/  -        00:00:38    3.3.3.3         Serial0/1

R1#sh ip route ospf
     2.0.0.0/32 is subnetted, 1 subnets
O       2.2.2.2 [110/2] via 2.2.2.2, 00:02:30, Virtual-Access2
     3.0.0.0/32 is subnetted, 1 subnets
O       3.3.3.3 [110/65] via 3.3.3.3, 00:22:27, Serial0/1


The final link type we're working with is ethernet between R2 and R3

SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int range fa1/2 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 23


R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int fa0/0
R2(config-if)#ip unnumbered lo0
Point-to-point (non-multi-access) interfaces only


Okay, that's not so good, I guess we can go back to our friend PPP again and go for PPPoE (R2 will be our PPPoE Client)


R2(config-if)#int di1
R2(config-if)#ip unnumbered lo0
R2(config-if)#encapsulation ppp
R2(config-if)#no peer neighbor-route
R2(config-if)#dialer pool 1
R2(config-if)#dialer persistent
R2(config-if)#ip ospf 1 area 0
R2(config-if)#int fa0/0
R2(config-if)#pppoe-client dial-pool-number 1
R2(config-if)#no shut

Let's set up R3 as the PPPoE Server


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int virtual-template 1
R3(config-if)#ip unnumbered lo0
R3(config-if)#no peer neighbor-route
R3(config-if)#ip ospf 1 area 0
R3(config-if)#int fa0/0
R3(config-if)#pppoe enable
R3(config-if)#bba-group pppoe global
R3(config-bba-group)#virtual-template 1
R3(config-bba-group)#int fa0/0
R3(config-if)#no shut


After a short period of time we can see that the PPPoE link comes up but eventially we see this:


*Mar  1 00:59:06.723: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on Virtual-Access2.1 from EXSTART to DOWN, Neighbor Down: Too many retransmissions


A typical cause of this is an MTU mismatch, lets see if this is the case:




R3#sh ip int vi2.1 | i MTU
  MTU is 1492 bytes


Remember the PPPoE overhead is 8 bytes....



R2#sh ip int di1 | i MTU
  MTU is 1500 bytes


Okay, so that didn't happen here, let's fix this up



R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int di1
R2(config-if)#ip mtu 1492
R2(config-if)#end

We could have also fixed this with ip ospf mtu-ignore... After a few seconds on R2 we see:

*Mar  1 01:00:35.827: %OSPF-5-ADJCHG: Process 1, Nbr 3.3.3.3 on Dialer1 from LOADING to FULL, Loading Done


So there you go, a few different ways of implementing OSPF adjacencies between routers using peers with different IP addresses and subnets, just remember that different link types will have different link cost metrics applied..
Posted by Adam at 12:44 pm 0 comments
Labels:
Subscribe to: Posts (Atom)