Home » Layer-2 Switching » Private VLANs

Private VLANs

Using Private VLANs provides a very elegant solution to two of the most challenging problems in an ISP based switched network

1. Using Private Vlans can delay the VLAN exhaustion when you are almost out of the entire VLAN space. This can possibly happen when you are an ISP and you assign one VLAN per customer; the maximum VLAN you can assign will go up to  probably – 4096. Using Private VLANs  functionality will resolve this scalability issue.

2. Again if you are an ISP, you need to assign an IP block per VLAN to enable IP routing for each customer, this can result in a large number of wastage of the IP space. Using Private VLANs you will no longer have to use an IP block per VLAN for enabling routing. With Private VLANs, you can have a single IP subnet for multiple VLANs and still maintain a fair amount of seperation between each vlan.

Components:
Private VLANs Introduce the concept  of the Primary VLAN and Secondary VLAN, where a Primary VLAN can hold multiple Secondary VLANs and Secondary VLANs can be defined as either Isolated or Community VLANs

1. Isolated VLANs – These VLANs cannot talk to any other port except the Primary VLAN at Layer-2
2. Community VLANs – These VLANs can talk to members which are in the same community VLAN and they can also talk to Primary VLAN at Layer-2.

Types of Ports in Private VLANs:
Private VLANs Ports are access ports which can fall into one of these categories (below)

1. Promiscuous Ports:     Ports which can talk to any other port
2. Isolated Ports:        Ports which can only talk to Promiscuous Port
3. Community Ports:     Ports which can talk to other community Ports and the Promiscuous Port

Primary VLAN
Primary VLAN carries traffic from Promiscuous ports to isolated and community VLAN host ports. It also carries the traffic to other Promiscuous ports. A private VLAN can have only primary VLAN, and every port in private VLAN has to be a member of one Primary VLAN.

Isolated VLAN
Ports in isolated VLAN can be member of only that isolated VLAN and a member of one Primary VLAN. Port in one Isolated VLAN cannot talk directly to any other port in the same Isolated VLAN. They also cannot talk directly to ports in any other isolated VLANs. ( by talking – i mean only communicating at Layer-2)

Community VLAN
Ports in Community VLAN can talk to other ports in the same Community VLAN, and they also need to be a member of one Primary VLAN.( by talking – i mean only communicating at Layer-2)

Promiscuous Ports
Promiscuous Ports can serve only one Primary VLAN, one Isolated VLAN and multiple Community VLANs. They are typically connected to Layer-3 gateways. The end devices only need to communicate with the default gateway to talk to devices outside their Private VLAN.

Note: Private VLANs can be extended out to other switches over the trunk links by trunking the primary, isolated and community VLANs.

IP Addressing
All the members of the Private VLAN can share a common IP Space where the IP space is assigned to the Primary VLAN. The hosts connected to isolated or community ports can have the addresses assigned from the address space of the Primary VLAN.

Few Things To Make Note of:
1: VTP has to be set to transparent mode in order for Private VLANs to work, Since they do not understand the concept of Private VLANs.
2: SVIs (Switches Virtual Interfaces) can only work as Primary VLANs, they cannot be configured as Secondary VLANs.
3: You need to manually configure the Private Vlans on all the switches since VTP does not support Private Vlans, also you need to manually make the Primary-Secondary VLAN mapping.
4: When configuring the Private Vlans always use the default Switch Database Management (SDM) template
Command to go under Global Configuration Mode:  #sdm prefer default
5. You cannot configure Vlan 1, 1002-1005 as primary or secondary vlans.
6. Private vlans cannot be configured in vlan database mode, only global vlan configuration mode supports private VLAN configuration.

STP and Private VLANs
Only one STP instance runs for the entire private VLAN and it runs on the Primary VLAN. The Secondary VLANs get the STP parameters from the STP instance of the Primary VLAN they belong to.

Sticky ARP
Sticky address resolution protocol (ARP) is enabled by default when you configure Private VLANs. The ARP entries learnt on Layer-3 private VLAN interfaces are sticky ARP entries and they do not get aged out. This means if you connect a device with same IP address but different MAC address then the ARP entry has to be manually removed as it does not age out. You have to remove private VLAN port ARP entries if the MAC address of the device changes.
Command to remove the ARP manually:  # no arp <ip address> under global config mode
You can also add manual ARP entry under global global config mode using command:
# arp <ip-address> <mac-address> type

Steps to Configure Private VLAN

1. Set VTP mode to transparent
2. Create Primary and Secondary VLANs
3.  Map secondary VLANs to Primary VLANs
3. Configure ports in Secondary VLANs and assign VLAN memberships
4. Configure Promiscuous ports and map them to primary-secondary VLAN pairs

SAMPLE CONFIG:
In the below  example we will use the following configuration of Private vlans
2 Primary Vlans:  ( 100 , 101)
Vlan #  100  will have IP Subnet: 192.168.100.0/24
Vlan #  101 will have IP Subnet: 192.168.101.0/24
2 Isolated Vlans: 201, 202
1 Community Vlan: 301


SW1 SW2
Set VTP mode Transparent SW1(config)#vtp mode transparent SW2(config)#vtp mode transparent
Define Primary Vlans SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary 

SW1(config-vlan)#vlan 101
SW1(config-vlan)#private-vlan primary

SW2(config)#vlan 100
SW2(config-vlan)#private-vlan primary 

SW2(config-vlan)#vlan 101
SW2(config-vlan)#private-vlan primary

Define Community Vlans SW1(config)#vlan 301
SW1(config-vlan)#private-vlan community
SW2(config)#vlan 301
SW2(config-vlan)#private-vlan community
Define Isolated Vlans SW1(config-vlan)#vlan 201
SW1(config-vlan)#private-vlan isolated 

SW1(config-vlan)#vlan 202
SW1(config-vlan)#private-vlan isolated

SW2(config-vlan)#vlan 201
SW2(config-vlan)#private isolated
SW2(config-vlan)#vlan 202
SW2(config-vlan)#private isolated
Associate Secondary Vlans to Primary Vlans SW1(config-vlan)#vlan 100
SW1(config-vlan)#private-vlan association 201,301 

SW1(config-vlan)#vlan 101
SW1(config-vlan)#private-vlan association 202

SW2(config)#vlan 100
SW2(config-vlan)#private association 201,301 

SW2(config-vlan)#vlan 101
SW2(config-vlan)#private association 202

Configure Host Ports For Community Vlans SW1(config)#int gi 0/43
SW1(config-if)#switchport private-vlan host-association 100 301
SW1(config-if)#switchport mode private-vlan host
SW2(config)#int gi 0/43
SW2(config-if)#switchport private-vlan host-association 100 301
SW2(config-if)#switchport mode private-vlan host
Configure Host Ports For Isolated Vlans interface GigabitEthernet0/44
switchport private-vlan host-association 100 201
switchport mode private-vlan host
interface GigabitEthernet0/44
switchport private-vlan host-association 101 202
switchport mode private-vlan host
Configure Promiscucous Ports (Ports connecting to the Router) interface GigabitEthernet0/47
switchport private-vlan mapping 100 101,301
switchport mode private-vlan promiscuous
interface GigabitEthernet0/47
switchport private-vlan mapping 101 202
switchport mode private-vlan promiscuous

More:
Configurations on  router

interface GigabitEthernet0/0
description SW1
ip address 192.168.100.1 255.255.255.0

interface GigabitEthernet0/1
description SW2
ip address 192.168.101.1 255.255.255.0

 



Incoming search terms for the article:

Leave a Reply