I posted a blog recently which discussed protected ports. How Can I Protect My Ports? In that blog I mentioned that a more comprehensive solution (more expensive as well) would be to configure private vlans – as long as your switches support such a feature. In this blog I will cover the configuration steps required to get your private vlans up and running, as well as demonstrate the impact before and after they are in place. Here is the network scenario:
Your first thought may be, “Why do I need to know this? Where would I ever use it?” Imagine you are a service provider and you want to be efficient in your use of IP addresses. If you have multiple clients to serve, it would be nice if you could put them all in the same subnet to conserve addresses, but you certainly don’t want them scanning each other’s traffic. (Keep in mind that the alternative solution would be to place each client in an individual subnet, adding administrative workload and wasting IP addresses. Here is a great place to use private vlans.
The goal in the above scenario is to place C1 and C2 into community vlans and C3 and C4 into isolated vlans. C5 will be in a promiscuous port and thus will be accessible by all of the other PCs. The switch is a 3560 48 port switch. A little background information will be useful here. In community private-vlans, individual hosts have access to each other as well as to the host in a promiscuous port. In isolated private-vlans, individual hosts cannot access other hosts in the same isolated vlan, but they can access the endpoint in a promiscuous port. The hosts have IP addresses with this scheme:
C1-10.1.21.1, C2-10.1.21.2, C3-10.1.21.3, C4-10.1.21.4, and C5-10.1.21.5.
Let’s look at the results of pings before we configure anything.
So everybody can ping everybody. This is the expected result since we are not preventing anything yet. Now let’s complete the scenario noted above.
First I will configure the private vlans on CSW1 (note that the switch must be in VTP Transparent mode. This has already been done.):
Now I have a primary vlan and two secondary vlans. I want to associate the two secondary vlans with the primary vlan. Here is what it looks like:
Notice that I have added both of the secondary vlans with one command. This is not required, but it does save typing. Also note that I created the secondary vlans (community and isolated) before I created the primary. This saves typing as well, but you can do it in any order you wish. Let’s do a show command to see what we have accomplished so far:
So my vlans exist, but just like normal vlans, they aren’t doing anything for me until I assign ports. The first port I want to configure is the promiscuous port. You could imagine this as a default-gateway address of a router or a monitoring PC – something that needs to be accessible by all endpoints in this scenario. Configuration looks like this:
So my promiscuous port is now configured. All that remains is to place my other hosts into the correct secondary vlans. Let’s see that piece of the configuration. First we will configure the community vlan piece:
Now for the isolated configuration:
Let’s take a look at a show command that will display everything that we have configured:
Now let’s try those pings again. First, one of the isolated PCs tries to ping the other isolated PC:
Failure means success! How about the other one?
No go. Just what we want! But can I still reach the promiscuous destination?
Can I reach one of the PCs in the community vlan? I should not be able to hit it. Let’s see:
Can’t get there. It is working. One last thing to check. In the community vlan, the endpoints should be able to ping the promiscuous port AND each other. Let’s try it. Here is CL2 trying to reach CL1:
I see replies. How about the other way?
Once again, success. One last check before we call it complete is to verify that the hosts in the community vlan can reach the promiscuous port:
Aaahh, the sweet smell of success. This configuration is quite useful in the scenario noted above, but keep in mind you must have at least a 3560 switch to be able to use this feature. Once you get past the odd syntax of mappings, host-associations, and plain old associations, you will be configuring private vlans like a guru. Until next time…