There are three types of Private-VLAN VLAN constructs
1) The Primary VLAN of which the other two are associated with, the primary VLAN would typically be associated with the Gateway router for the Private-VLAN
2) Community VLANs - hosts associated with the same community VLAN are able to talk with each other but with no one else except for hosts on the Primary VLAN
3) Isolated VLANs - hosts even on the same isolated VLAN are unable to talk with anyone except hosts on the Primary VLAN
Actually there is a form of the Isolated VLAN feature which is supported on platforms such as the 3550 which is enabled using "switchport protected" however this is local to one switch - this means in a multi-switch environment, your switchport protected ports can communicate with hosts that are on the same VLAN on other switches
This post will cover a multi-switch private VLAN configuration as shown in the topology diagram
Private-VLANs can only work when the Switch is set to VTP transparent mode.
This exercise will be using 4 VLANs
- VLAN 100 - Primary
- VLAN 200 - Isolated
- VLAN 300 - Community
- VLAN 400 - Community
Before we get to the PVLAN config section, lets quickly list the configs on our routers
R1
hostname R1
interface FastEthernet0/0
ip address 10.1.100.1 255.255.255.0
no shutdown
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
R2
hostname R2
no ip routing
interface FastEthernet0/0
ip address 10.1.100.2 255.255.255.0
no shutdown
!
ip default-gateway 10.1.100.1
R3
hostname R3
no ip routing
interface FastEthernet0/0
ip address 10.1.100.3 255.255.255.0
no shutdown
!
ip default-gateway 10.1.100.1
R4
hostname R4
no ip routing
interface FastEthernet0/1
ip address 10.1.100.4 255.255.255.0
no shutdown
!
ip default-gateway 10.1.100.1
R5
hostname R5
no ip routing
interface FastEthernet0/1
ip address 10.1.100.5 255.255.255.0
no shutdown
!
ip default-gateway 10.1.100.1
R6
hostname R6
no ip routing
interface FastEthernet0/1
ip address 10.1.100.6 255.255.255.0
no shutdown
!
ip default-gateway 10.1.100.1
Our Switches are in their vanilla configurations (wr erase and del vlan.dat before reloading) so we we need to configure them from scratch.
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#host SW1
Ensure that we're in vtp transparent mode
SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Now we create the VLANs that will be used in our private-vlan and specify the type
SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#vlan 200
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 300
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 400
SW1(config-vlan)#private-vlan community
Let's check the configuration
SW1(config-vlan)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 primary
200 isolated
300 community
VLAN 400 is not shown - whenever vlan configuration is used, the current vlan configuration is not applied until you exit it (either by configuring another VLAN or exiting VLAN config mode)
SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 primary
200 isolated
300 community
400 community
Now that the Private VLANs have been created, an association is required - we do this by selecting the primary vlan and then attaching the isolated/community VLANs to it
SW1(config-vlan)#private-vlan association 200,300,400
SW1(config-vlan)#exit
SW1(config)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 isolated
100 300 community
100 400 community
Let's set up the trunk between SW1 and SW2 and then apply the same PVLAN config to SW2
SW1(config)#int fa1/0/19
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#host SW2
SW2(config)#int fa1/0/19
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk
SW2(config-vlan)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#vlan 100
SW2(config-vlan)#private-vlan primary
SW2(config-vlan)#vlan 200
SW2(config-vlan)#private-vlan isolated
SW2(config-vlan)#vlan 300
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 400
SW2(config-vlan)#private-vlan community
SW2(config-vlan)#vlan 100
SW2(config-vlan)#private-vlan association 200,300,400
SW2(config-vlan)#exit
SW2(config)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 isolated
100 300 community
100 400 community
Before we associate switch interfaces with private-vlan configurations, by default all router facing ports will be in vlan 1, let's validate we have full connectivity.
R1
R1#ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/261/1012 ms
R1#ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/268/1056 ms
R1#ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/260/1004 ms
R1#ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/262/1016 ms
R1#ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/264/1044 ms
R2
R2#ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2#ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/10/24 ms
R2#ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1996 ms
R2#ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/5/12 ms
R2#ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1988 ms
R2#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3
R3#ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3#ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3#ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/405/2000 ms
R3#ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/8/20 ms
R3#ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4
R4#ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms
R4#ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4#ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/403/1996 ms
R4#ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/7/16 ms
R4#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R5
R5#ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R5#ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R5#ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R5#ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/406/1992 ms
R5#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6
R6#ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 ms
R6#ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R6#ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/16 ms
Okay, so our baseline of full connectivity between hosts has been established, we can start applying the pvlan configurations to switchports.
SW1 Fa1/0/1 (R1) - Primary VLAN (100)
SW1 Fa1/0/2 (R2) - Isolated VLAN (200)
SW1 Fa1/0/3 (R3) - Community VLAN (300)
SW2 Fa1/0/4 (R4) - Isolated VLAN (200)
SW2 Fa1/0/5 (R5) - Community VLAN (300)
SW2 Fa1/0/6 (R6) - Community VLAN (400)
SW1(config)#int fa1/0/1
This is the promiscuous port for the private-vlan (all isolated/community VLANs of the private vlan can talk with this port)
SW1(config-if)#switchport mode private-vlan promiscuous
Attach the secondary vlans (200,300,400) to the primary vlan (100)
SW1(config-if)#switchport private-vlan association mapping 100 200,300,400
Now we configure the secondary vlan interfaces
SW1(config-if)#int fa1/0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 200
SW1(config-if)#int fa1/0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan association host 100 300SW1(config-if)#switchport mode private-vlan host
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 isolated Fa1/0/1, Fa1/0/2
100 300 community Fa1/0/1, Fa1/0/3
100 400 community Fa1/0/1
On SW2 we only have secondary vlan interfaces
SW2(config)#int fa1/0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 200
SW2(config-if)#int fa1/0/5
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 300
SW2(config-if)#int fa1/0/6
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#switchport private-vlan association host 100 400
SW2(config-if)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 isolated Fa1/0/4
100 300 community Fa1/0/5
100 400 community Fa1/0/6
Now to test
R1 should be able to ping R2/R3/R4/R5/R6 because it's the promiscuous port (SW1 Fa1/0/1)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R1>ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
R1>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2 (SW1 Fa1/0/2) should only be able to ping R1 even though R4 (SW2 Fa1/0/4) is on the same secondary VLAN as this pvlan type is isolated neither will be able to communicate with each other
R2>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R2>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R2>ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3 (SW1 Fa1/0/3) should be able to ping R1 and R5 (as they are in the same community pvlan)
R3>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R3>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4 (SW2 Fa1/0/4) like R2 should only be able to ping R1
R4>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R4>ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5 (SW2 Fa1/0/5) should be able to ping R1 and R3 (as they are in the same community pvlan)
R5>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/12 ms
R5>ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R5>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6 (SW2 Fa1/0/6) will only be able to ping R1 currently it is the only community pvlan (400) member
R6>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R6>ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
So we have seen how you can use Private VLANs to partition a broadcast domain / IP subnet into multiple domains for service/security separation.
While the promiscuous port has been shown to occur on a layer 2 interface, it is also able to happen on a switched virtual interface.
to demonstrate we'll first make a slight change to R1's configuration
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip add 10.100.100.1 255.255.255.0
R1(config-if)#ip route 0.0.0.0 0.0.0.0 10.100.100.100
R1(config)#end
Now we'll return SW1 Fa1/0/1 to act as a regular access port in vlan 10
SW1(config)#int fa1/0/1
SW1(config-if)#no switchport private-vlan mapping 100 200,300,400
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#switchport access vlan 10
SW1(config-if)#no switchport private-vlan mapping 100 200,300,400
SW1(config-if)#no switchport mode private-vlan promiscuous
SW1(config-if)#switchport access vlan 10
We'll create our SVI for vlan 10
SW1(config-if)#ip add 10.100.100.100 255.255.255.0
SW1(config-if)#exit
now we'll enable routing and add the static route to 1.1.1.1
SW1(config)#ip routing
SW1(config)#ip route 1.1.1.1 255.255.255.255 10.100.100.1SW1(config)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
Now we need to create the SVI for vlan 100 and create the private-vlan mapping
SW1(config)#int vlan 100
SW1(config-if)#ip add 10.1.100.1 255.255.255.0
SW1(config-if)#private-vlan mapping 200,300,400
SW1(config-if)#ip add 10.1.100.1 255.255.255.0
SW1(config-if)#private-vlan mapping 200,300,400
SW1(config-if)#do sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 isolated Fa1/0/2
100 300 community Fa1/0/3
100 400 community
We cant see any reference to VLAN 100 here but there is an alternate way to see the mapping
SW1(config-if)#do sh int vlan 100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan100 200, 300, 400
We'll do a verification using R3 (Only hosts on VLAN 10, 100 and 300) should be reachable
R3>ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/20 ms
R3>ping 10.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
R3>ping 10.1.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.1.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R3>ping 10.1.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Using the Private VLAN on the SVI enables you to to use your switch as a routing gateway for your private vlans.
No comments:
Post a Comment