By default,
our traffic is allowed to move unrestricted within a VLAN. One host sends packets
to another host and it's heard only by the destination host this is the beauty
of layer 2 switching. However, if one host sends the broadcast packet, all the
remaining hosts on that VLAN listen to that broadcast and reply as per the
broadcast. We can solve this if the host is connected to a local switch with VACL or
configured with more VLAN but it would be nice to have the capability to segment
traffic within a single VLAN, without having to use multiple VLANs. The solution
is Private VLAN.
Let’s understand
private VLAN with an example.
All the devices are on a single subnet and in a single VLAN 100. All
the devices can communicate but we don’t want all devices to communicate. As per
the requirement, we need server 1, and server 2 should be able to share and communicate
with each other and gateway but not communicate with server 3. Server 3 can
only communicate with the gateway and be Isolated. This can be done with Private
VLANs.
The private VLAN always has one primary VLAN. Within
the primary VLAN, you will find the promiscuous port. In my picture above you
can see that there’s a router connected to a promiscuous port. All other
ports are able to communicate with the promiscuous port. Within the primary
VLAN, you will encounter one or more secondary VLANs, there are two types:
Community VLAN: In
this VLAN all the ports can communicate with each other and also the promiscuous
port but not with other communities.
Isolated VLAN: In
this VLAN all the ports are isolated means cannot communicate with each other
or any community VLAN but they can communicate with the promiscuous port.
let's see the configuration: -
Topology:
- configure the topology as per the diagram
- assign the IP addresses 192.168.1.0/24 subnet for all the ports
- configure fa0/0 default gateway 192.168.1.1 on the router
- configure primary VLAN 100
- configure gig 0/0 promiscuous port
- configure Community VLAN 101 assign port r gig 0/1
- configure Community VLAN 102 assigns port gig 0/2
- configure Isolated VLAN 103 assigns port gig 0/3
- verify with show commands
Switch-1-(config)#vtp mode transparent
Device mode already VTP Transparent for VLANS.
Switch-1-(config)#VLAN 100
Switch-1-(config-vlan)#private-vlan primary
Switch-1-(config-vlan)#exit
Switch-1-(config)#VLAN 101
Switch-1-(config-vlan)#name first_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit
Switch-1-(config)#VLAN 102
Switch-1-(config-vlan)#name second_community
Switch-1-(config-vlan)#private-vlan community
Switch-1-(config-vlan)#exit
Switch-1-(config)#VLAN 103
Switch-1-(config-vlan)#name isolate_community
Switch-1-(config-vlan)#private-vlan isolated
Switch-1-(config-vlan)#exit
Switch-1-(config)#vlan 100
Switch-1-(config-vlan)#private-vlan association 101,102,103
Switch-1-(config-vlan)#exit
Switch-1-(config)#interface gigabitEthernet 0/1
Switch-1-(config-if)#description this is a first-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 101
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit
Switch-1-(config)#interface gigabitEthernet 0/2
Switch-1-(config-if)#description this is a second-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 102
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit
Switch-1-(config)#interface gigabitEthernet 0/3
Switch-1-(config-if)#description this is a isolate-community-port
Switch-1-(config-if)#switchport private-vlan host-association 100 103
Switch-1-(config-if)#switchport mode private-vlan host
Switch-1-(config-if)#exit
switch-1-(config)#interface gigabitEthernet 0/0
switch-1-(config-if)#description this is a prom-port
switch-1-(config-if)#switchport private-vlan mapping 100 101,102,103
switch-1-(config-if)#switchport mode private-vlan promiscuous
switch-1-(config-if)#exit
switch-1-#show interfaces gigabitEthernet 0/0 switch
Name: Gi0/0
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (VLAN100) 101 (first_community) 102 (second_community) 103 (isolate_community)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Appliance trust: none
switch-1-#show interfaces gigabitEthernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 101 (first_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Appliance trust: none
switch-1-#show interfaces gigabitEthernet 0/2 switchport
Name: Gi0/2
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 102 (second_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Appliance trust: none
switch-1-#show interfaces gigabitEthernet 0/3 switchport
Name: Gi0/3
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN100) 103 (isolate_community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Appliance trust: none
switch-1-#show vlan private-vlan type
Vlan Type
---- -----------------
100 normal
101 normal
102 normal
103 normal
switch-1-#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0, Gi1/1, Gi1/2, Gi1/3
Gi2/0, Gi2/1, Gi2/2, Gi2/3
Gi3/0, Gi3/1, Gi3/2, Gi3/3
100 VLAN100 active
101 first_community active
102 second_community active
103 isolate_community active
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 101 non-operational Gi0/0, Gi0/1
100 102 non-operational Gi0/0, Gi0/2
100 103 non-operational Gi0/0, Gi0/3
(In the type field you see non-operational, this is because I do not have an upgraded switch. you will see community, isolated, and pro port in the upgraded switch)
