Filters:

  • Technologies

  • Instructors

  • How to Configure Private-VLANs on Cisco Switches

    I posted a blog recently which discussed protected ports. How Can I Protect My Ports? In that blog I mentioned that a more comprehensive solution (more expensive as well) would be to configure private vlans – as long as your switches support such a feature. In this blog I will cover the configuration steps required to get your private vlans up and running, as well as demonstrate the impact before and after they are in place. Here is the network scenario:

    Cisco Switches - How to Configure a Private VLAN

    Your first thought may be, “Why do I need to know this? Where would I ever use it?” Imagine you are a service provider and you want to be efficient in your use of IP addresses. If you have multiple clients to serve, it would be nice if you could put them all in the same subnet to conserve addresses, but you certainly don’t want them scanning each other’s traffic. (Keep in mind that the alternative solution would be to place each client in an individual subnet, adding administrative workload and wasting IP addresses. Here is a great place to use private vlans.

    The goal in the above scenario is to place C1 and C2 into community vlans and C3 and C4 into isolated vlans. C5 will be in a promiscuous port and thus will be accessible by all of the other PCs. The switch is a 3560 48 port switch. A little background information will be useful here. In community private-vlans, individual hosts have access to each other as well as to the host in a promiscuous port.  In isolated private-vlans, individual hosts cannot access other hosts in the same isolated vlan, but they can access the endpoint in a promiscuous port. The hosts have IP addresses with this scheme:

    You may also like:  What Happens when there are duplicate MAC Addresses. How many MAC Addresses can a Switch learn?

    C1-10.1.21.1, C2-10.1.21.2, C3-10.1.21.3, C4-10.1.21.4, and C5-10.1.21.5.

    Let’s look at the results of pings before we configure anything.

    Ping of Cisco Private VLAN

    003-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    004-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    005-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    006-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    So everybody can ping everybody. This is the expected result since we are not preventing anything yet. Now let’s complete the scenario noted above.

    First I will configure the private vlans on CSW1 (note that the switch must be in VTP Transparent mode. This has already been done.):

    VLAN on CSQ1 Cisco Switch

    Now I have a primary vlan and two secondary vlans. I want to associate the two secondary vlans with the primary vlan. Here is what it looks like:

    Cisco Switch - Primary VLAN on CSW1

    Notice that I have added both of the secondary vlans with one command. This is not required, but it does save typing. Also note that I created the secondary vlans (community and isolated) before I created the primary. This saves typing as well, but you can do it in any order you wish.  Let’s do a show command to see what we have accomplished so far:

    009-vlans-on-CSW1-How-to-Configure-Private-VLANs-on-Cisco-Switches

    So my vlans exist, but just like normal vlans, they aren’t doing anything for me until I assign ports. The first port I want to configure is the promiscuous port. You could imagine this as a default-gateway address of a router or a monitoring PC – something that needs to be accessible by all endpoints in this scenario. Configuration looks like this:

    Cisco Switch endpoints of VLAN

    So my promiscuous port is now configured. All that remains is to place my other hosts into the correct secondary vlans. Let’s see that piece of the configuration. First we will configure the community vlan piece:

    You may also like:  How to extract your outside IP address-without a chicken or a monkey

    Community VLAN on Cisco Switch configuring a private vlan

    Now for the isolated configuration:

    Isolated configuration of VLAN on a Cisco Switch

    Let’s take a look at a show command that will display everything that we have configured:

    Cisco Switch - show vlans

    Now let’s try those pings again. First, one of the isolated PCs tries to ping the other isolated PC:

    014-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    Failure means success! How about the other one?

    015-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

    No go. Just what we want! But can I still reach the promiscuous destination?

    016-ping-destination-How-to-Configure-Private-VLANs-on-Cisco-Switches

    YES!!

    Can I reach one of the PCs in the community vlan? I should not be able to hit it. Let’s see:

    Cisco Switch - Recent primary ping for private VLAN

    Can’t get there. It is working. One last thing to check. In the community vlan, the endpoints should be able to ping the promiscuous port AND each other. Let’s try it. Here is CL2 trying to reach CL1:

    018-ping-community-vlan-How-to-Configure-Private-VLANs-on-Cisco-Switches

    I see replies. How about the other way?

    019-ping-community-vlan-How-to-Configure-Private-VLANs-on-Cisco-Switches

    Once again, success. One last check before we call it complete is to verify that the hosts in the community vlan can reach the promiscuous port:

    Cisco Switch - Ping community vlan on private VLAN

    Aaahh, the sweet smell of success. This configuration is quite useful in the scenario noted above, but keep in mind you must have at least a 3560 switch to be able to use this feature. Once you get past the odd syntax of mappings, host-associations, and plain old associations, you will be configuring private vlans like a guru. Until next time…

    Mark Jacob
    Cisco Instructor – Interface Technical Training
    Phoenix, AZ

    Share your thoughts...

    Please fill out the comment form below to post a reply.