CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
Private VLANs
You must load the initial configuration files for the section, Basic
Layer 2 Switching, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Configure private-vlan on SW1 as follows:
Use VLAN 100 as the primary VLAN.
Use VLAN 1000 as the community VLAN.
Use VLAN 2000 as the isolated VLAN.
Configure IP addressing as follows:
Assign 169.254.100.1/24 to SW1’s SVI on VLAN 100.
Assign 169.254.100.2/24 to SW2’s Fa0/24 port.
Assign 169.254.100.3/24 to SW3’s Fa0/20 port.
Assign 169.254.100.4/24 to SW4’s Fa0/22 port.
Assign SW1’s interfaces to required VLANs so that:
SW1, SW2, and SW3 can communicate directly at Layer 2.
SW4 can only communicate with SW1 directly at Layer 2.
Configuration
SW1:
vtp mode transparent
!
vlan 1000
private-vlan community
!
vlan 2000
private-vlan isolated
!
vlan 100
private-vlan primary
private-vlan association 1000,2000
!
interface range FastEthernet0/20 , FastEthernet0/24
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
interface FastEthernet0/22
switchport private-vlan host-association 100 2000
switchport mode private-vlan host
!
interface Vlan100
ip address 169.254.100.1 255.255.255.0
private-vlan mapping 1000,2000
SW2:
interface FastEthernet0/24
no switchport
ip address 169.254.100.2 255.255.255.0
SW3:
interface FastEthernet0/20
no switchport
ip address 169.254.100.3 255.255.255.0
SW4:
interface FastEthernet0/22
no switchport
ip address 169.254.100.4 255.255.255.0
Verification
The Private VLAN (PVLANs) feature is similar in theory to the Protected Ports
feature, in which two or more ports can be in the same VLAN but cannot directly
communicate at Layer 2. Private VLANs expand this concept much further,
however, and allow very complex security policies that can span between multiple
physical switches. Private VLANs split a single broadcast domain that is normally
defined by a single VLAN into multiple isolated broadcast subdomains that are
defined by a primary VLAN and its secondary VLANs. In essence, the feature allows
us to configure VLANs inside a VLAN.
From a design perspective, this feature is commonly used in environments like
shared ISP co-location, in which customers are on the same VLAN and same IP
subnet, but should not communicate directly with each other, or in Multiple Dwelling
Units (MDUs) such as hotels or office buildings, where two hotel rooms or offices
may be in the same subnet and VLAN but should not communicate directly.
Pitfall
The Private VLAN feature requires VTP to run in transparent mode if VTP version 2 is
enabled.
Although the theory of PVLANs is relatively straightforward, the implementation can
be confusing because of the different terms that Cisco uses to describe VLANs and
ports and the syntax in which they are bound together. First we must define the port
roles used in PVLANs. These are promiscuous ports, community ports, and isolated
ports:
Promiscuous ports are allowed to talk to all other ports within the VLAN.
Isolated ports are only allowed to talk to promiscuous ports.
Community ports are allowed to talk to other ports in their own community, but not
ports in different communities, and can talk to any promiscuous ports.
The port roles are defined by the interface’s association to a primary VLAN and one
or more secondary VLANs. First the secondary VLANs are created, and defined as
either community or isolated. Then the primary VLAN is defined, and the secondary
VLANs are associated with the primary VLAN.
Next the command
switchport mode private-vlan promiscuous
or
switchport mode
private-vlan host
is configured at the physical interface level. As you might guess,
the promiscuous option indicates that the port role is promiscuous, and the host
option indicates that the port role is either community or isolated. Last, the port is
assigned to both the primary and secondary VLANs, which defines what other
ports it can talk to. The links to SW2 and SW3 have the command
switchport
private-
vlan host-association 100 1000
configured, which means that it is a member of the
primary VLAN 100 and the secondary VLAN 1000. VLAN 1000 was defined as a
community VLAN, which implies that SW2 and SW3 can talk to all other ports in
VLAN 1000 and any promiscuous ports belonging to VLAN 100. The SVI interface in
VLAN 100 can only be a promiscuous port, and it needs the secondary VLANs
mapped using command
private-vlan mapping 1000,2000
; this is so that you can
actually restrict which secondary VLANs can communicate with the promiscuous
port.
Verify the private VLAN configuration and port assignment.
SW1#show vlan private-vlan
Primary Secondary TypePorts
------- --------- ----------------- ------------------------------------------
1001000
community
Fa0/20, Fa0/24
1002000
isolated
Fa0/22
!
!SW1#show interfaces vlan100 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------vlan100 1000, 2000
!
!SW1#show interfaces fastEthernet0/20 switchport
Name: Fa0/20
Switchport: EnabledAdministrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: noneAdministrative private-vlan host-association: 100 (VLAN0100) 1000 (VLAN1000)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: noneOperational private-vlan:
100 (VLAN0100) 1000 (VLAN1000)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
<output omitted>
!
!SW1#show interfaces fastEthernet0/24 switchport
Name: Fa0/24
Switchport: EnabledAdministrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: noneAdministrative private-vlan host-association: 100 (VLAN0100) 1000 (VLAN1000)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: noneOperational private-vlan:
100 (VLAN0100) 1000 (VLAN1000)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
<output omitted>
Final verification for this configuration can be obtained by sending traffic to the
broadcast address of 255.255.255.255 from all devices. As defined in the
requirements, SW1 can communicate with all switches because it is a promiscuous
port.
SW1#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 169.254.100.4, 8 ms
Reply to request 0 from 169.254.100.2, 8 ms
Reply to request 0 from 169.254.100.3, 8 ms
SW2 and SW3 can communicate with each other, as members of the community
VLAN, and with SW1, which is the promiscuous host.
SW2#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 169.254.100.3, 9 ms
Reply to request 0 from 169.254.100.1, 9 ms
!
!SW3#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 169.254.100.2, 8 ms
Reply to request 0 from 169.254.100.1, 8 ms
SW4, as member of the isolated VLAN, can only communicate with SW1, which is
the promiscuous host.
SW4#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 169.254.100.1, 8 ms