How to Configure Private-VLANs on Cisco Switches

Home > Blogs > Cisco > How to Configure Private-VLANs on Cisco Switches

How to Configure Private-VLANs on Cisco Switches

Like This Blog 0Mark Jacob
Added by February 19, 2014

I posted a blog recently which discussed protected ports. How Can I Protect My Ports? In that blog I mentioned that a more comprehensive solution (more expensive as well) would be to configure private vlans – as long as your switches support such a feature. In this blog I will cover the configuration steps required to get your private vlans up and running, as well as demonstrate the impact before and after they are in place. Here is the network scenario:

Cisco Switches - How to Configure a Private VLAN

Your first thought may be, “Why do I need to know this? Where would I ever use it?” Imagine you are a service provider and you want to be efficient in your use of IP addresses. If you have multiple clients to serve, it would be nice if you could put them all in the same subnet to conserve addresses, but you certainly don’t want them scanning each other’s traffic. (Keep in mind that the alternative solution would be to place each client in an individual subnet, adding administrative workload and wasting IP addresses. Here is a great place to use private vlans.

The goal in the above scenario is to place C1 and C2 into community vlans and C3 and C4 into isolated vlans. C5 will be in a promiscuous port and thus will be accessible by all of the other PCs. The switch is a 3560 48 port switch. A little background information will be useful here. In community private-vlans, individual hosts have access to each other as well as to the host in a promiscuous port.  In isolated private-vlans, individual hosts cannot access other hosts in the same isolated vlan, but they can access the endpoint in a promiscuous port. The hosts have IP addresses with this scheme:

You may also like:  A quick look at Cisco Modeling Labs (CML)

C1-10.1.21.1, C2-10.1.21.2, C3-10.1.21.3, C4-10.1.21.4, and C5-10.1.21.5.

Let’s look at the results of pings before we configure anything.

Ping of Cisco Private VLAN

003-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

004-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

005-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

006-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

So everybody can ping everybody. This is the expected result since we are not preventing anything yet. Now let’s complete the scenario noted above.

First I will configure the private vlans on CSW1 (note that the switch must be in VTP Transparent mode. This has already been done.):

VLAN on CSQ1 Cisco Switch

Now I have a primary vlan and two secondary vlans. I want to associate the two secondary vlans with the primary vlan. Here is what it looks like:

Cisco Switch - Primary VLAN on CSW1

Notice that I have added both of the secondary vlans with one command. This is not required, but it does save typing. Also note that I created the secondary vlans (community and isolated) before I created the primary. This saves typing as well, but you can do it in any order you wish.  Let’s do a show command to see what we have accomplished so far:

009-vlans-on-CSW1-How-to-Configure-Private-VLANs-on-Cisco-Switches

So my vlans exist, but just like normal vlans, they aren’t doing anything for me until I assign ports. The first port I want to configure is the promiscuous port. You could imagine this as a default-gateway address of a router or a monitoring PC – something that needs to be accessible by all endpoints in this scenario. Configuration looks like this:

Cisco Switch endpoints of VLAN

So my promiscuous port is now configured. All that remains is to place my other hosts into the correct secondary vlans. Let’s see that piece of the configuration. First we will configure the community vlan piece:

You may also like:  Understanding EIGRP named mode wide-metric computation

Community VLAN on Cisco Switch configuring a private vlan

Now for the isolated configuration:

Isolated configuration of VLAN on a Cisco Switch

Let’s take a look at a show command that will display everything that we have configured:

Cisco Switch - show vlans

Now let’s try those pings again. First, one of the isolated PCs tries to ping the other isolated PC:

014-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

Failure means success! How about the other one?

015-ping-How-to-Configure-Private-VLANs-on-Cisco-Switches

No go. Just what we want! But can I still reach the promiscuous destination?

016-ping-destination-How-to-Configure-Private-VLANs-on-Cisco-Switches

YES!!

Can I reach one of the PCs in the community vlan? I should not be able to hit it. Let’s see:

Cisco Switch - Recent primary ping for private VLAN

Can’t get there. It is working. One last thing to check. In the community vlan, the endpoints should be able to ping the promiscuous port AND each other. Let’s try it. Here is CL2 trying to reach CL1:

018-ping-community-vlan-How-to-Configure-Private-VLANs-on-Cisco-Switches

I see replies. How about the other way?

019-ping-community-vlan-How-to-Configure-Private-VLANs-on-Cisco-Switches

Once again, success. One last check before we call it complete is to verify that the hosts in the community vlan can reach the promiscuous port:

Cisco Switch - Ping community vlan on private VLAN

Aaahh, the sweet smell of success. This configuration is quite useful in the scenario noted above, but keep in mind you must have at least a 3560 switch to be able to use this feature. Once you get past the odd syntax of mappings, host-associations, and plain old associations, you will be configuring private vlans like a guru. Until next time…

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Agile Methodology in Project Management

0 41 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Identifying and Fixing Misconfigured Subnet Masks in Your Network Environment

0 67 0

In this video, Cisco CCNA instructor Mark Jacob show how to find and fix misconfigured subnet masks in a typical IT network environment.   Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ You May Also LikeIdentifying and Fixing Misconfigured Subnet Masks in…Getting Data in and out of ASP.NET Applications…Cisco EIGRP … Continue reading Identifying and Fixing Misconfigured Subnet Masks in Your Network Environment

Detailed Forensic Investigation of Malware Infections – April 21, 2015

2 122 1

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.