Monday, 25 June 2012

Private VLANs

One of the features the Catalyst 3560 has that the 3550 doesn't have is the capacity to support Private-Vlans.  Private-VLANs are a method to partition one broadcast domain into several by combining multiple VLANs into one.

There are three types of Private-VLAN VLAN constructs
1) The Primary VLAN of which the other two are associated with, the primary VLAN would typically be associated with the Gateway router for the Private-VLAN
2) Community VLANs - hosts associated with the same community VLAN are able to talk with each other but with no one else except for hosts on the Primary VLAN
3) Isolated VLANs - hosts even on the same isolated VLAN are unable to talk with anyone except hosts on the Primary VLAN

Actually there is a form of the Isolated VLAN feature which is supported on platforms such as the 3550 which is enabled using "switchport protected" however this is local to one switch - this means in a multi-switch environment, your switchport protected ports can communicate with hosts that are on the same VLAN on other switches

This post will cover a multi-switch private VLAN configuration as shown in the topology diagram

Private-VLANs can only work when the Switch is set to VTP transparent mode.

This exercise will be using 4 VLANs
  1. VLAN 100 - Primary
  2. VLAN 200 - Isolated
  3. VLAN 300 - Community
  4. VLAN 400 - Community
Although VLAN 300 and 400 are of the same type, since they aren't in the same community they wont be able to talk to each other.  This kind of flexibility is useful in hosting environments where you want to manage your IP subnet across multiple customers but still ensure security between them without needing unwieldy ACLs to control it.

Before we get to the PVLAN config section, lets quickly list the configs on our routers

R1
hostname R1
interface FastEthernet0/0
 ip address 10.1.100.1 255.255.255.0
 no shutdown
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!

R2
hostname R2
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.2 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R3
hostname R3
no ip routing
interface FastEthernet0/0
 ip address 10.1.100.3 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R4
hostname R4
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.4 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R5
hostname R5
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.5 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

R6
hostname R6
no ip routing
interface FastEthernet0/1
 ip address 10.1.100.6 255.255.255.0
 no shutdown
!
ip default-gateway 10.1.100.1

Our Switches are in their vanilla configurations (wr erase and del vlan.dat before reloading) so we we need to configure them from scratch.

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW1

Ensure that we're in vtp transparent mode 


SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

Now we create the VLANs that will be used in our private-vlan and specify the type

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#vlan 200
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 300
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 400
SW1(config-vlan)#private-vlan community

Let's check the configuration
 
SW1(config-vlan)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community





VLAN 400 is not shown - whenever vlan configuration is used, the current vlan configuration is not applied until you exit it (either by configuring another VLAN or exiting VLAN config mode)

SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100               primary
        200       isolated
        300       community
        400       community

Now that the Private VLANs have been created, an association is required - we do this by selecting the primary vlan and then attaching the isolated/community VLANs to it

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan association 200,300,400
SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Let's set up the trunk between SW1 and SW2 and then apply the same PVLAN config to SW2

SW1(config)#int fa1/0/19
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk

Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW2
SW2(config)#int fa1/0/19
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-vlan)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#vlan 100
SW2(config-vlan)#private-vlan primary
SW2(config-vlan)#vlan 200
SW2(config-vlan)#private-vlan isolated
SW2(config-vlan)#vlan 300
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 400
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 100
SW2(config-vlan)#private-vlan association 200,300,400
SW2(config-vlan)#exit
SW2(config)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated
100     300       community
100     400       community

Before we associate switch interfaces with private-vlan configurations, by default all router facing ports will be in vlan 1, let's validate we have full connectivity.


R1
R1#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/261/1012 ms
R1#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/268/1056 ms
R1#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/260/1004 ms
R1#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/262/1016 ms
R1#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/264/1044 ms


R2
R2#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/10/24 ms
R2#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1996 ms
R2#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms
R2#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1988 ms
R2#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R3
R3#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/405/2000 ms
R3#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms
R3#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R4
R4#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
R4#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1996 ms
R4#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/16 ms
R4#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms

R5
R5#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R5#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R5#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1992 ms
R5#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R6
R6#ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R6#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms


Okay, so our baseline of full connectivity between hosts has been established, we can start applying the pvlan configurations to switchports.

SW1 Fa1/0/1 (R1) - Primary VLAN (100)
SW1 Fa1/0/2 (R2) - Isolated VLAN (200)
SW1 Fa1/0/3 (R3) - Community VLAN (300)

SW2 Fa1/0/4 (R4) - Isolated VLAN (200)
SW2 Fa1/0/5 (R5) - Community VLAN (300)
SW2 Fa1/0/6 (R6) - Community VLAN (400)

SW1(config)#int fa1/0/1

This is the promiscuous port for the private-vlan (all isolated/community VLANs of the private vlan can talk with this port)

SW1(config-if)#switchport mode private-vlan promiscuous

Attach the secondary vlans (200,300,400) to the primary vlan (100)

SW1(config-if)#switchport private-vlan association mapping 100 200,300,400

Now we configure the secondary vlan interfaces

SW1(config-if)#int fa1/0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 200

SW1(config-if)#int fa1/0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 300

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/1, Fa1/0/2
100     300       community         Fa1/0/1, Fa1/0/3
100     400       community         Fa1/0/1

On SW2 we only have secondary vlan interfaces

SW2(config)#int fa1/0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 200
SW2(config-if)#int fa1/0/5
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 300
SW2(config-if)#int fa1/0/6
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 400
SW2(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/4
100     300       community         Fa1/0/5
100     400       community         Fa1/0/6

Now to test

R1 should be able to ping R2/R3/R4/R5/R6 because it's the promiscuous port (SW1 Fa1/0/1)

R1>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R1>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
R1>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2 (SW1 Fa1/0/2) should only be able to ping R1 even though R4 (SW2 Fa1/0/4) is on the same secondary VLAN as this pvlan type is isolated neither will be able to communicate with each other

R2>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R2>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3 (SW1 Fa1/0/3) should be able to ping R1 and R5 (as they are in the same community pvlan)
R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4 (SW2 Fa1/0/4) like R2 should only be able to ping R1


R4>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R5 (SW2 Fa1/0/5) should be able to ping R1 and R3 (as they are in the same community pvlan)

R5>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms
R5>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R6 (SW2 Fa1/0/6) will only be able to ping R1 currently it is the only community pvlan (400) member

R6>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

So we have seen how you can use Private VLANs to partition a broadcast domain / IP subnet into multiple domains for service/security separation.

While the promiscuous port has been shown to occur on a layer 2 interface, it is also able to happen on a switched virtual interface.

to demonstrate we'll first make a slight change to R1's configuration

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip add 10.100.100.1 255.255.255.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.100.100.100
R1(config)#end

Now we'll return SW1 Fa1/0/1 to act as a regular access port in vlan 10

SW1(config)#int fa1/0/1
SW1(config-if)#no switchport private-vlan mapping 100 200,300,400
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#switchport access vlan 10

We'll create our SVI for vlan 10

SW1(config-if)#int vlan 10
SW1(config-if)#ip add 10.100.100.100 255.255.255.0
SW1(config-if)#exit

now we'll enable routing and add the static route to 1.1.1.1

SW1(config)#ip routing
SW1(config)#ip route 1.1.1.1 255.255.255.255 10.100.100.1
SW1(config)#do ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

Now we need to create the SVI for vlan 100 and create the private-vlan mapping

SW1(config)#int vlan 100
SW1(config-if)#ip add 10.1.100.1 255.255.255.0
SW1(config-if)#private-vlan mapping 200,300,400

SW1(config-if)#do sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     200       isolated          Fa1/0/2
100     300       community         Fa1/0/3
100     400       community



We cant see any reference to VLAN 100 here but there is an alternate way to see the mapping

SW1(config-if)#do sh int vlan 100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan100   200, 300, 400

We'll do a verification using R3 (Only hosts on VLAN 10, 100 and 300) should be reachable

R3>ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/20 ms
R3>ping 10.100.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Using the Private VLAN on the SVI enables you to to use your switch as a routing gateway for your private vlans.

No comments:

Post a Comment