Tuesday, August 26, 2008

Private VLANs (PVLANs)

Until now, I thought PVLANs were a bit  difficult to understand and to implement, like when studying to CCNP that took me a while to digest, and I had some doubts about it, till today! Man... how simple it is, and there´s no much "magic" in that (like our friend Scott Morris usually says)!  Pretty straight-forward and no big deals! The Security Video from IPExpert is AWESOME. It´s short, informative, to the point, and solved MANY questions I´ve for a while in minutes! Man! What a nice way to do it!

So, let´s get into that:

There are tree type of Private VLANs Ports:

  • Promiscuous (P) - talk to everyone (usually connected to the exit Router, DNS, DHCP Server, NTP Server);
  • Isolated (I) - only talk to Promiscuous ports;
  • Community (C) - talk to others in the same Community & Promiscuous ports.

To have PVLANs configure the Switch MUST be in Transparent VTP mode, otherwise, it´ll not work.

Just keep in mind that when you configure your switch to VTP Transparent mode, you do not loose what you´ve learned so far, you´re just not gaining anything new about the changes from now on!

Hosts in different PVLANs are all in the same IP Subnet, BUT, they´re not able to talk to others in different community or isolated VLANs! That´s the main goal of a PVLAN, to split the VLAN domain into multiple isolated broadcast subdomains. But if one Community VLAN needs to talk to other Community VLAN?! Well... that can be done through a Router or L3 Switch. Also, you can apply some access-lists and other security features to permit only the things you want to pass through!

The best way to explain this is using an example, so check our topology, we´ll concentrate on the PVLAN ports:

PVLAN

There are three Community VLANs (there can be more if you want) so you put every client inside it´s own Community VLAN, avoiding that one client talk to another. That means Customer A could have a WebServer, and some other application server inside it´s own Community VLAN, and those equipments will be able to talk to each other, but they´ll NOT be able to talk to equipments in other Community or Isolated VLANs.

But, wait a minute, we´ve created one Community VLAN for each customer, and only one Isolated VLAN?! If we have more customers needing Isolated ports?! Should we create more Isolated VLANs?! The answer is NO. Isolated Ports only talks to the Promiscuous Ports and not to each other. So each customer inside an Isolated Port will be confined to this port only plus the Promiscuous Port.

First, lets go ahead and create our VLANs:

SW1 and SW2:

vlan 10
private-vlan primary
exit
!
vlan 101
private-vlan isolated
exit
!
vlan 102
private-vlan community
exit
!
vlan 103
private-vlan community
exit
!
vlan 104
private-vlan community
exit
!
vlan 10
private-vlan association add 101-104
exit

So, VLAN10 is our  Promiscous VLAN, and it´s associated to ALL other VLANs (101, 102, 103 and 104).

Now, we´ll associate each port to it´s VLAN, check it out:

SW1:

interface fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 10 104
!
interface fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 104
!
interface fa0/7
switchport mode private-vlan host
switchport private-vlan host-association 10 102
!
interface fa0/8
switchport mode private-vlan host
switchport private-vlan host-association 10 102

SW2:

interface fa0/3
switchport mode private-vlan host
switchport private-vlan host-association 10 101
!
interface fa0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 103
!
interface fa0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 103
!
interface fa0/2
switchport mode private-vlan promiscuous
switchport private-vlan mapping  10 add 101-104

Every device MUST be associated with the promiscuous VLAN (in our case VLAN10)! Beyond that they´ll be associated with the non-promiscuous  (the isolated or community VLANs) in order to specify how those ports will behave! That´s why ALL ports are associated with VLAN10 + it´s own VLAN.

So, what can be connected in the Promiscuous VLAN?! Normally the devices that are common to everybody, and needs to talk to all VLANs, like Routers, DNS Servers, NTP Servers, DHCP Servers, and many others!

You can verify your configuration using the "show vlan" command. The info regarding PVLANs will be at the end of the output of this command.

A good advice from the IPExpert Video is that the current IOS on the LAB (12.2.25) doesn´t allow us to use switchport port-security commands and private-vlans  at the same port at the same time!  Once it hits a newer version (12.2.40) (that can happen anyday Cisco wants) we´ll be able to do that!

Ok! But... do you know that 3550 doesn´t support PVLANs?! Yep.., me neither! They´ve a feature named Switchport Protected for that, it´s really simple, and for example, if we have 15 devices in a vlan, but, only two of them are protected (with the interface command switchport protected), they can talk to everybody else, but not to each other!

So one protected device will not talk to other protected device! It works just like an isolated vlan. No unicast, multicasts, broadcasts between protected ports!

Not that difficult, right?!

4 comments:

Anonymous said...

Nice article! Breaks private vlans down very nicely...

Caue said...

Thanks buddy!

There are many other AWESOME PVLAN articles in other blogs!

Scott is the man! Those videos rocks!

Cheers!

Anonymous said...

Hey Caue,

Nice write-up! I felt the exact same way...when first seeing this topic for CCNP and such, it made me fear it...but after watching the same video, I feel much more comfortable actually understanding the theory.

What really helped for me was seeing it actually configured, that goes a long way. Nice article!

- Joe A.

Caue said...

Hey Joe! How are you buddy?!

Yeah! I think you know exactly what I mean! Back on CCNA/CCNP, there are some topics that confuses us more than it helps! Maybe the way used to explain things or maybe the examples, I don´t know.

I know that till now I was kind affraid of PVLANs, but not anymore... Actually it´s really simple! I just don´t get "WHY" I was so confused till now! Anyway! Glad you like it! It´s pretty much what was covered on the video, plus some examples!

Really?! Have you seen any real network using it?! I´ve never saw! Only on lab!

Thanks man! Take care!

Cheers,
Caue Wailemann