SlideShare a Scribd company logo

Private VLANs

NetProtocol Xpert
NetProtocol Xpert

Private VLANs allow splitting a regular VLAN into multiple "subdomains" to provide isolation between hosts at layer 2. The domains are isolated broadcast domains that require layer 3 forwarding to communicate. Primary, isolated, and community ports are defined for the sub-VLANs. Primary VLANs deliver frames downstream, isolated VLANs carry frames upstream, and community VLANs allow communication within the same group and to promiscuous ports. The configuration binds VLANs into a private VLAN domain, maps host ports to secondary VLANs, and maps a promiscuous port to all secondary VLANs to allow inter-subnet communication.

Engineering
1 of 26
PRIVATE VLANS www.netprotocolxpert.in
• To begin with, recall thatVLAN is essentially a broadcast domain. • Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. • The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router. • In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). • In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co- location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
VLANs Terminology
• For our sample configuration, we take VLAN 1000 and divide it into three PVLANs – sub- VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue. We name VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based on their types: • Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on theVLAN. • Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port.You commonly see these ports connecting to hosts. • Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports.
• In order to implement sub-VLAN behaviour, we need to define how packets are forwarded between different types of ports. We group the VLANs in “Primary” and “Secondary”. • Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”). • Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port. • Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primaryVLAN.
How Private VLANs Work Here are the key aspects of Private VLAN functioning: • The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts. • The Isolated VLAN transports frames from the stub hosts upstream to the router • The Community VLANs allow bi-directional frame exchange within a single group, in addition to forwarding frames upstream towards “P”-ports. • Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondaryVLANs.
• Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with regularVLANs, and the primaryVLAN traffic is trunked as well. • However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating switch, as it’s not possible to use VTPv2 to disseminate that information. • This due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others.
Configuring Private VLANs We have primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4). Step 1: • First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain: • SW1: • vtp mode transparent • ! • ! Creating primaryVLAN, which is shared among secondary’s • ! • vlan 1000 • private-vlan primary
• ! • ! CommunityVLAN for R1 and R2: allows a “subVLAN” within a PrimaryVLAN • ! • vlan 1012 • private-vlan community • ! • ! CommunityVLAN for R3 and R4 • ! • vlan 1034 • private-vlan community • ! IsolatedVLAN: Connects all stub hosts to router. • ! Remember - only one isolated vlan per primary VLAN. • ! In our case, isolates R5 only. • ! • vlan 1055 • private-vlan isolated • ! • ! Associating the primary with secondary’s • ! • vlan 1000 • private-vlan association 1012,1034,1055 This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications). Repeat the same operations on SW2, sinceVTP has been disabled.
• ! Community port (links R3 to R4 and “P”-ports) • ! • interface FastEthernet0/3 • description == R3 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Isolated port (uses isolatedVLAN to talk to “P”-ports) • ! • interface FastEthernet0/5 • description == R5 • switchport private-vlan host-association 1000 1055 • switchport mode private-vlan host • spanning-tree portfast • Step 2: • Configure host ports and bind them to the respective isolated PVLANs. Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary. Also, enable trunking between switches, to allow private VLANs traffic to pass between switches. • SW1: • ! • ! Community port (links R1 to R2 and “P”-ports) • ! • interface FastEthernet0/1 • description == R1 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Community port (links R3 to R4 and “P”-ports)
• !Trunk port • ! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trunk • SW2: • interface FastEthernet0/2 • description == R2 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • interface FastEthernet0/4 • description == R4 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • !Trunk port • ! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trun
Next,Verify the configuration on SW1: • SW1#show vlan id 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/1
• SW1#show vlan id 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/3
• SW1#show vlan id 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/5
• SW1#show interfaces fastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
Verify on SW2: • W2#show vlan id 1000 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1000VLAN1000 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1000 enet 101000 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6 • 1000 1034 community Fa0/4, Fa0/6 • 1000 1055 isolated Fa0/6
• SW2#show vlan id 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6
• SW2#show vlan id 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/4, Fa0/6
• SW2#show vlan id 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/6
• SW2#show interface fastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
Step 3: Create a promiscuous port and configure downstream mappings. Here we add secondary VLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to send traffic downstream to all “C” and “I” ports per their associations. • SW2: • ! • ! Promiscuous port, mapped to all secondaryVLANs • ! • interface FastEthernet0/6 • description == R6 • switchport private-vlan mapping 1000 1012,1034,1055 • switchport mode private-vlan promiscuous • spanning-tree portfast
• Administrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) • Administrative private-vlan trunk nativeVLAN: none • Administrative private-vlan trunk NativeVLAN tagging: enabled • Administrative private-vlan trunk encapsulation: dot1q • Administrative private-vlan trunk normalVLANs: none • Administrative private-vlan trunk privateVLANs: none • Operational private-vlan: • 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) Verify the promiscuous port configuration: • SW2#show int fa 0/6 switch | beg private • Administrative Mode: private-vlan promiscuous • Operational Mode: private-vlan promiscuous • AdministrativeTrunking Encapsulation: negotiate • OperationalTrunking Encapsulation: native • Negotiation ofTrunking: Off • Access ModeVLAN: 1 (default) • Trunking Native ModeVLAN: 1 (default) • Administrative NativeVLAN tagging: enabled • VoiceVLAN: none • Administrative private-vlan host-association: none
If you need to configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only. Obviously that’s because all secondary VLANs are “subordinates” of primary. After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible. You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs. • SW1: • ! • ! SW1 SVI is mapped to all secondaryVLANs • ! • interfaceVlan 1000 • ip address 10.0.0.7 255.255.255.0 • private-vlan mapping 1012,1034,1055 • SW2: • ! • ! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5 • ! • interfaceVlan1000 • ip address 10.0.0.8 255.255.255.0 • private-vlan mapping 1012,1034
Now to verify the configuration, configure R1- R6 interfaces in subnet “10.0.0.0/24” and ping broadcast addresses. • R1#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms • R3#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
• R5#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 1 ms • Reply to request 0 from 10.0.0.6, 1 ms • R6#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.1, 4 ms • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.5, 4 ms • Reply to request 0 from 10.0.0.3, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
Lastly, there is another feature, called protected port or “Private VLAN edge”. The feature is pretty basic and is available even on low- end Cisco switches. It allows isolating ports in the same VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non- protected) ports within the same VLAN). Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security. Example: • interface range FastEthernet 0/1 - 2 • switchport mode access • switchport protected • switchport block unicast • switchport block multicast

Recommended

VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
Li-Wei Yao
 
Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)
KHNOG
 
VTP
VTPVTP
VTP
Haidar-Mohammed
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
APNIC
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
Tn 310 vlan-trunking
Tn 310 vlan-trunkingTn 310 vlan-trunking
Tn 310 vlan-trunking
sali Ibrahimu
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 

Recommended

VXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building BlocksVXLAN BGP EVPN: Technology Building Blocks
VXLAN BGP EVPN: Technology Building Blocks
APNIC
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
Li-Wei Yao
 
Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)Virtual Extensible LAN (VXLAN)
Virtual Extensible LAN (VXLAN)
KHNOG
 
VTP
VTPVTP
VTP
Haidar-Mohammed
 
MPLS Traffic Engineering
MPLS Traffic EngineeringMPLS Traffic Engineering
MPLS Traffic Engineering
APNIC
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
KwonSun Bae
 
Tn 310 vlan-trunking
Tn 310 vlan-trunkingTn 310 vlan-trunking
Tn 310 vlan-trunking
sali Ibrahimu
 
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
DMVPN configuration - Configuring Cisco dynamic Multipoint VPN - HUB, SPOKES,...
NetProtocol Xpert
 
MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
Faelix Ltd
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
Jim Geovedi
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Canada
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
Cisco Canada
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
Er. Anmol Bhagat
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
Sumant Garg
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
Shahzaib Mahesar
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
Joud Khattab
 
VXLAN
VXLANVXLAN
VXLAN
SAliyev1
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
Faisal Reza
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
Jignesh H. Bhalsod
 
Winhon Network Solution
Winhon Network SolutionWinhon Network Solution
Winhon Network Solution
Jinzdm
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
Reetesh Gupta
 
Eigrp
EigrpEigrp
Eigrp
firey
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree Protocol
Arash Foroughi
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
anilinvns
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
NetProtocol Xpert
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
NetProtocol Xpert
 

More Related Content

What's hot

Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
Muuluu
 
Eigrp
EigrpEigrp
Eigrp
firey
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
welcometofacebook
 

What's hot (20)

MikroTik & RouterOS
MikroTik & RouterOSMikroTik & RouterOS
MikroTik & RouterOS
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
 
Segment Routing Lab
Segment Routing Lab Segment Routing Lab
Segment Routing Lab
 
ccna networking ppt
ccna networking pptccna networking ppt
ccna networking ppt
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
 
VXLAN
VXLANVXLAN
VXLAN
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
 
Winhon Network Solution
Winhon Network SolutionWinhon Network Solution
Winhon Network Solution
 
CCNA PPT
CCNA PPTCCNA PPT
CCNA PPT
 
Eigrp
EigrpEigrp
Eigrp
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree Protocol
 
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
Day 3 ENHANCED IGRP (EIGRP) AND OPEN SHORTEST PATH FIRST (OSPF)
 
Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)Layer 2 switching fundamentals(networking)
Layer 2 switching fundamentals(networking)
 

Viewers also liked

Cisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) SolutionCisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) Solution
Cisco Russia
 

Viewers also liked (18)

MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
 
EtherChannel Configuration
EtherChannel ConfigurationEtherChannel Configuration
EtherChannel Configuration
 
Dmvpn with configuration example
Dmvpn with configuration exampleDmvpn with configuration example
Dmvpn with configuration example
 
Radius server,PAP and CHAP Protocols
Radius server,PAP and CHAP ProtocolsRadius server,PAP and CHAP Protocols
Radius server,PAP and CHAP Protocols
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Hot Spot Network Manager
Hot Spot Network ManagerHot Spot Network Manager
Hot Spot Network Manager
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
 
Cisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) SolutionCisco Intelligent WAN (IWAN) Solution
Cisco Intelligent WAN (IWAN) Solution
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
Radius Protocol
Radius ProtocolRadius Protocol
Radius Protocol
 
Theory of bending
Theory of bendingTheory of bending
Theory of bending
 
Multicast Routing Protocols
Multicast Routing ProtocolsMulticast Routing Protocols
Multicast Routing Protocols
 

Similar to Private VLANs

Лекц 9
Лекц 9Лекц 9
Лекц 9
Muuluu
 
Lecture_Network Design, InterVlan Routing and Trunking_.pptx
Lecture_Network Design, InterVlan Routing and Trunking_.pptxLecture_Network Design, InterVlan Routing and Trunking_.pptx
Lecture_Network Design, InterVlan Routing and Trunking_.pptx
SaqibAhmedKhan4
 

Similar to Private VLANs (20)

VLAN
VLANVLAN
VLAN
 
Лекц 9
Лекц 9Лекц 9
Лекц 9
 
Lecture_Network Design, InterVlan Routing and Trunking_.pptx
Lecture_Network Design, InterVlan Routing and Trunking_.pptxLecture_Network Design, InterVlan Routing and Trunking_.pptx
Lecture_Network Design, InterVlan Routing and Trunking_.pptx
 
Mod8 vlans
Mod8 vlansMod8 vlans
Mod8 vlans
 
W3-Presentation-VLANs-AMA COMPUTER COLLEGE.pdf
W3-Presentation-VLANs-AMA COMPUTER COLLEGE.pdfW3-Presentation-VLANs-AMA COMPUTER COLLEGE.pdf
W3-Presentation-VLANs-AMA COMPUTER COLLEGE.pdf
 
CCNA- part 9 vlan
CCNA- part 9 vlanCCNA- part 9 vlan
CCNA- part 9 vlan
 
Vlan
VlanVlan
Vlan
 
mod8-VLANs.ppt
mod8-VLANs.pptmod8-VLANs.ppt
mod8-VLANs.ppt
 
Day 14.2 inter vlan
Day 14.2 inter vlanDay 14.2 inter vlan
Day 14.2 inter vlan
 
Vlan.pdf
Vlan.pdfVlan.pdf
Vlan.pdf
 
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram SnehiVLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
VLAN Virtual Area Network ,Switch,Ethernet ,VIkram Snehi
 
Virtual LAN and Vlan Trunking Protocol.pptx
Virtual LAN and Vlan Trunking Protocol.pptxVirtual LAN and Vlan Trunking Protocol.pptx
Virtual LAN and Vlan Trunking Protocol.pptx
 
VLANs_Module_3.pptx
VLANs_Module_3.pptxVLANs_Module_3.pptx
VLANs_Module_3.pptx
 
vlan
vlanvlan
vlan
 
Vlan and vtp
Vlan and vtpVlan and vtp
Vlan and vtp
 
Vlan and vtp
Vlan and vtpVlan and vtp
Vlan and vtp
 
CCNA_RSE_Chp6.pptx
CCNA_RSE_Chp6.pptxCCNA_RSE_Chp6.pptx
CCNA_RSE_Chp6.pptx
 
LAN Switching and Wireless: Ch3 - Virtual Local Area Networks (VLANs)
LAN Switching and Wireless: Ch3 - Virtual Local Area Networks (VLANs)LAN Switching and Wireless: Ch3 - Virtual Local Area Networks (VLANs)
LAN Switching and Wireless: Ch3 - Virtual Local Area Networks (VLANs)
 
Vlan Types
Vlan TypesVlan Types
Vlan Types
 
Vla ns
Vla nsVla ns
Vla ns
 

More from NetProtocol Xpert

More from NetProtocol Xpert (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 
Regular expression examples
Regular expression examplesRegular expression examples
Regular expression examples
 
Eigrp is restricted to stub connections
Eigrp is restricted to stub connections Eigrp is restricted to stub connections
Eigrp is restricted to stub connections
 
Converting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versaConverting ipv4 to ipv6 and vice versa
Converting ipv4 to ipv6 and vice versa
 
Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850Password recovery cisco catalyst 3850
Password recovery cisco catalyst 3850
 
Cisco 2960x switch password recovery
Cisco 2960x switch password recoveryCisco 2960x switch password recovery
Cisco 2960x switch password recovery
 
VMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation ProcessVMware ESXi 6.0 Installation Process
VMware ESXi 6.0 Installation Process
 
EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)EIGRP (Enhanced Interior Gateway Routing Protocol)
EIGRP (Enhanced Interior Gateway Routing Protocol)
 
OSPF External Route Summarization
OSPF External Route Summarization OSPF External Route Summarization
OSPF External Route Summarization
 
OSPF Internal Route Summarization
OSPF Internal Route SummarizationOSPF Internal Route Summarization
OSPF Internal Route Summarization
 
Redistribution into OSPF
Redistribution into OSPFRedistribution into OSPF
Redistribution into OSPF
 

Recently uploaded

(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
dharasingh5698
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 

Recently uploaded (20)

Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Intro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdfIntro To Electric Vehicles PDF Notes.pdf
Intro To Electric Vehicles PDF Notes.pdf
 

Private VLANs

  • 2. • To begin with, recall thatVLAN is essentially a broadcast domain. • Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. • The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router. • In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). • In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co- location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
  • 4. • For our sample configuration, we take VLAN 1000 and divide it into three PVLANs – sub- VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue. We name VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based on their types: • Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on theVLAN. • Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port.You commonly see these ports connecting to hosts. • Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports.
  • 5. • In order to implement sub-VLAN behaviour, we need to define how packets are forwarded between different types of ports. We group the VLANs in “Primary” and “Secondary”. • Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”). • Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port. • Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primaryVLAN.
  • 6. How Private VLANs Work Here are the key aspects of Private VLAN functioning: • The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts. • The Isolated VLAN transports frames from the stub hosts upstream to the router • The Community VLANs allow bi-directional frame exchange within a single group, in addition to forwarding frames upstream towards “P”-ports. • Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondaryVLANs.
  • 7. • Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with regularVLANs, and the primaryVLAN traffic is trunked as well. • However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating switch, as it’s not possible to use VTPv2 to disseminate that information. • This due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others.
  • 8. Configuring Private VLANs We have primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4). Step 1: • First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain: • SW1: • vtp mode transparent • ! • ! Creating primaryVLAN, which is shared among secondary’s • ! • vlan 1000 • private-vlan primary
  • 9. • ! • ! CommunityVLAN for R1 and R2: allows a “subVLAN” within a PrimaryVLAN • ! • vlan 1012 • private-vlan community • ! • ! CommunityVLAN for R3 and R4 • ! • vlan 1034 • private-vlan community • ! IsolatedVLAN: Connects all stub hosts to router. • ! Remember - only one isolated vlan per primary VLAN. • ! In our case, isolates R5 only. • ! • vlan 1055 • private-vlan isolated • ! • ! Associating the primary with secondary’s • ! • vlan 1000 • private-vlan association 1012,1034,1055 This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications). Repeat the same operations on SW2, sinceVTP has been disabled.
  • 10. • ! Community port (links R3 to R4 and “P”-ports) • ! • interface FastEthernet0/3 • description == R3 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Isolated port (uses isolatedVLAN to talk to “P”-ports) • ! • interface FastEthernet0/5 • description == R5 • switchport private-vlan host-association 1000 1055 • switchport mode private-vlan host • spanning-tree portfast • Step 2: • Configure host ports and bind them to the respective isolated PVLANs. Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary. Also, enable trunking between switches, to allow private VLANs traffic to pass between switches. • SW1: • ! • ! Community port (links R1 to R2 and “P”-ports) • ! • interface FastEthernet0/1 • description == R1 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • ! Community port (links R3 to R4 and “P”-ports)
  • 11. • !Trunk port • ! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trunk • SW2: • interface FastEthernet0/2 • description == R2 • switchport private-vlan host-association 1000 1012 • switchport mode private-vlan host • spanning-tree portfast • ! • interface FastEthernet0/4 • description == R4 • switchport private-vlan host-association 1000 1034 • switchport mode private-vlan host • spanning-tree portfast • ! • !Trunk port • ! • interface FastEthernet 0/13 • switchport trunk encapsulation dot1q • switchport mode trun
  • 12. Next,Verify the configuration on SW1: • SW1#show vlan id 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/1
  • 13. • SW1#show vlan id 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/3
  • 14. • SW1#show vlan id 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/5
  • 15. • SW1#show interfaces fastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
  • 16. Verify on SW2: • W2#show vlan id 1000 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1000VLAN1000 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1000 enet 101000 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6 • 1000 1034 community Fa0/4, Fa0/6 • 1000 1055 isolated Fa0/6
  • 17. • SW2#show vlan id 1012 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1012VLAN1012 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1012 enet 101012 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1012 community Fa0/2, Fa0/6
  • 18. • SW2#show vlan id 1034 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1034VLAN1034 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1034 enet 101034 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1034 community Fa0/4, Fa0/6
  • 19. • SW2#show vlan id 1055 • VLAN Name Status Ports • ---- -------------------------------- --------- ------------------------------- • 1055VLAN1055 active Fa0/13 • VLANType SAID MTU Parent RingNo BridgeNo Stp BrdgModeTrans1 Trans2 • ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ • 1055 enet 101055 1500 - - - - - 0 0 • Remote SPANVLAN • ---------------- • Disabled • Primary SecondaryType Ports • ------- --------- ----------------- ------------------------------------------ • 1000 1055 isolated Fa0/6
  • 20. • SW2#show interface fastEthernet 0/13 trunk • Port Mode Encapsulation Status Native vlan • Fa0/13 desirable 802.1q trunking 1 • Port Vlans allowed on trunk • Fa0/13 1-4094 • Port Vlans allowed and active in management domain • Fa0/13 1,1000,1012,1034,1055 • Port Vlans in spanning tree forwarding state and not pruned • Fa0/13 1,1000,1012,1034,1055
  • 21. Step 3: Create a promiscuous port and configure downstream mappings. Here we add secondary VLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to send traffic downstream to all “C” and “I” ports per their associations. • SW2: • ! • ! Promiscuous port, mapped to all secondaryVLANs • ! • interface FastEthernet0/6 • description == R6 • switchport private-vlan mapping 1000 1012,1034,1055 • switchport mode private-vlan promiscuous • spanning-tree portfast
  • 22. • Administrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) • Administrative private-vlan trunk nativeVLAN: none • Administrative private-vlan trunk NativeVLAN tagging: enabled • Administrative private-vlan trunk encapsulation: dot1q • Administrative private-vlan trunk normalVLANs: none • Administrative private-vlan trunk privateVLANs: none • Operational private-vlan: • 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055) Verify the promiscuous port configuration: • SW2#show int fa 0/6 switch | beg private • Administrative Mode: private-vlan promiscuous • Operational Mode: private-vlan promiscuous • AdministrativeTrunking Encapsulation: negotiate • OperationalTrunking Encapsulation: native • Negotiation ofTrunking: Off • Access ModeVLAN: 1 (default) • Trunking Native ModeVLAN: 1 (default) • Administrative NativeVLAN tagging: enabled • VoiceVLAN: none • Administrative private-vlan host-association: none
  • 23. If you need to configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only. Obviously that’s because all secondary VLANs are “subordinates” of primary. After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible. You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs. • SW1: • ! • ! SW1 SVI is mapped to all secondaryVLANs • ! • interfaceVlan 1000 • ip address 10.0.0.7 255.255.255.0 • private-vlan mapping 1012,1034,1055 • SW2: • ! • ! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5 • ! • interfaceVlan1000 • ip address 10.0.0.8 255.255.255.0 • private-vlan mapping 1012,1034
  • 24. Now to verify the configuration, configure R1- R6 interfaces in subnet “10.0.0.0/24” and ping broadcast addresses. • R1#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms • R3#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.6, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
  • 25. • R5#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.7, 1 ms • Reply to request 0 from 10.0.0.6, 1 ms • R6#ping 10.0.0.255 repeat 1 • Type escape sequence to abort. • Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds: • Reply to request 0 from 10.0.0.1, 4 ms • Reply to request 0 from 10.0.0.7, 4 ms • Reply to request 0 from 10.0.0.2, 4 ms • Reply to request 0 from 10.0.0.5, 4 ms • Reply to request 0 from 10.0.0.3, 4 ms • Reply to request 0 from 10.0.0.4, 4 ms • Reply to request 0 from 10.0.0.8, 4 ms
  • 26. Lastly, there is another feature, called protected port or “Private VLAN edge”. The feature is pretty basic and is available even on low- end Cisco switches. It allows isolating ports in the same VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non- protected) ports within the same VLAN). Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security. Example: • interface range FastEthernet 0/1 - 2 • switchport mode access • switchport protected • switchport block unicast • switchport block multicast