A Private VLAN Primer

Standard

Hi CCNA Security Gang,

Since VIRL now supports private vlans, let’s do a private vlan post since it seems to be confuse a lot of people.

Here is the topology I’m working with today.

private

R01 & R02 will be a community, R03 and R04 will be a different community, R05 will be isolated, and R254 will be promiscuous so everyone can talk to it.

Private VLANs are a way of dividing a vlan up into sub-vlans which can then be used to restrict communication between hosts. This is handy if you don’t want a particular server in the server vlan to be able to directly talk to another server in the same vlan or for multi-tenant situations where a host might belong to a different company.

There are 3 main types of private vlans

  • Community – Hosts in a community vlan can talk to each other or promiscuous ports but not other communities or isolated ports.
  • Isolated – Hosts in the isolated vlan can only talk to the promiscuous port
  • Promiscuous – Can talk to everything

There is also the primary vlan which is the main regular vlan we are working with.

Setup

The Routers

The routers will just have basic IP connectivity for now, each will be part of the 10.0.200.0/24 subnet

R01

R01(config)#interface GigabitEthernet0/1
 R01(config-if)# description to SW01
 R01(config-if)# ip address 10.0.200.1 255.255.255.0

R02

R02(config)#interface GigabitEthernet0/1
 R02(config-if)# description to SW01
 R02(config-if)# ip address 10.0.200.2 255.255.255.0

R03

 R03(config)#interface GigabitEthernet0/1
 R03(config-if)# description to SW01
 R03(config-if)# ip address 10.0.200.3 255.255.255.0

R04

 R04(config)#interface GigabitEthernet0/1
 R04(config-if)# description to SW01
 R04(config-if)# ip address 10.0.200.4 255.255.255.0

R05

 R05(config)#interface GigabitEthernet0/1
 R05(config-if)# description to SW01
 R05(config-if)# ip address 10.0.200.5 255.255.255.0

R254

 R254(config)#interface GigabitEthernet0/1
 R254(config-if)# description to SW01
 R254(config-if)# ip address 10.0.200.254 255.255.255.0

Private Vlans

To configure a private vlan on a switch you need to either set VTP to be transparent or use VTP version 3, we’ll do VTPv3 since VTPv3 is the bee’s knees.

 SW01(config)#vtp domain MEOWCAT 
 Changing VTP domain name from virl.lab to MEOWCAT
 SW01(config)#
 *May 23 01:49:47.616: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to MEOWCAT.
 SW01(config)#vtp version 3
 SW01(config)#vtp mode server
 Setting device to VTP Server mode for VLANS.
 SW01(config)#do vtp primary force
 This system is becoming primary server for feature vlan 
 SW01(config)#
 *May 23 01:50:05.913: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: fa16.3ed9.8000 has become the primary server for the VLAN VTP feature

We’ll use VLAN 2001 as the first community

 SW01(config)#vlan 2001
 SW01(config-vlan)#name PVLAN_COMMUNITY_1
 SW01(config-vlan)#private-vlan community

We’ll use VLAN 2002 as the first community

 SW01(config-vlan)#vlan 2002
 SW01(config-vlan)#name PVLAN_COMMUNITY_2
 SW01(config-vlan)#private-vlan community

We’ll use VLAN 2003 as the isolated vlan, in most systems you can only setup one isolated vlan since there is no benefit to having multiple ones.

 SW01(config-vlan)#vlan 2003 
 SW01(config-vlan)#name PVLAN_ISOLATED
 SW01(config-vlan)#private-vlan isolated

Once the private vlans are configured we make the primary vlan and associate them to it.

SW01(config-vlan)#vlan 200
 SW01(config-vlan)#name SERVERS 
 SW01(config-vlan)#private-vlan association 2001-2003
 SW01(config-vlan)#private-vlan primary

Then we’ll go ahead and do the port assignments.

 SW01(config)#int ra g0/1-2 
 SW01(config-if-range)#switchport mode private-vlan host
 SW01(config-if-range)#switchport private-vlan host-association 200 2001
 
 SW01(config)#int ra g0/3,g1/0
 SW01(config-if-range)#switchport mode private-vlan host 
 SW01(config-if-range)#switchport private-vlan host-association 200 2002
 
 SW01(config-if-range)#int g1/1
 SW01(config-if)#switchport mode private-vlan host 
 SW01(config-if)#switchport private-vlan host-association 200 2003
 
 SW01(config-if)#int g1/2
 SW01(config-if)#switchport mode private-vlan promiscuous 
 SW01(config-if)#switchport private-vlan mapping 200 2001-2003

We can also make an promiscuous SVI that everything can talk to

 SW01(config)#interface Vlan200
 SW01(config-if)# ip address 10.0.200.253 255.255.255.0
 SW01(config-if)# private-vlan mapping 2001-2003

When we are done we can see the following:

SW01(config)#do sh vlan private-vlan
 
 Primary Secondary Type Ports
 ------- --------- ----------------- ------------------------------------------
 200 2001 community Gi0/1, Gi0/2, Gi1/2
 200 2002 community Gi0/3, Gi1/0, Gi1/2
 200 2003 isolated Gi1/1, Gi1/2

 

Results

Community 1

Community 1 lets R01 and R02 talk to each other as well as the promiscuous ports

R01#ping 255.255.255.255 repeat 1
 Type escape sequence to abort.
 Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
 
 Reply to request 0 from 10.0.200.2, 32 ms
 Reply to request 0 from 10.0.200.253, 54 ms
 Reply to request 0 from 10.0.200.254, 32 ms
 
 R02#ping 255.255.255.255 repeat 1
 Type escape sequence to abort.
 Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
 
 Reply to request 0 from 10.0.200.1, 103 ms
 Reply to request 0 from 10.0.200.253, 167 ms
 Reply to request 0 from 10.0.200.254, 116 ms

Community 2

Community 2 lets R03 and R04 talk to each other as well as the promiscuous ports

R03#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:

Reply to request 0 from 10.0.200.4, 137 ms
Reply to request 0 from 10.0.200.253, 193 ms
Reply to request 0 from 10.0.200.254, 153 ms

R04#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:

Reply to request 0 from 10.0.200.3, 88 ms
Reply to request 0 from 10.0.200.253, 171 ms
Reply to request 0 from 10.0.200.254, 117 ms

Isolated

The isolated vlan can only talk to the promiscuous port.

R05#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:

Reply to request 0 from 10.0.200.254, 132 ms
Reply to request 0 from 10.0.200.253, 178 ms

We can also use local proxy arp to traffic to communicate between private vlans in a hub and spoke manner

R254(config)#int g0/1
 R254(config-if)#ip local-proxy-arp

R05#ping 10.0.200.1
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.0.200.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 25/28/32 ms
 R05#show arp
 Protocol Address Age (min) Hardware Addr Type Interface
 Internet 10.0.200.1 1 fa16.3e14.9af0 ARPA GigabitEthernet0/1
 Internet 10.0.200.5 - fa16.3e3d.c1b8 ARPA GigabitEthernet0/1
 Internet 10.0.200.253 6 fa16.3ed9.80c8 ARPA GigabitEthernet0/1
 Internet 10.0.200.254 6 fa16.3e14.9af0 ARPA GigabitEthernet0/1

And that is a primer of everything you need to know for private vlans!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.