Table of Contents
2. What is Private VLAN [PVLAN]
3. PVLAN Port Types
4. How Private VLANs Work
5. How to configure PVLAN’s
6. Hand note on Private VLAN port type and communication
7. Private VLANs and SVIs
8. Private VLAN Configuration basic Guidelines
This document is anticipated for understanding Private Virtual LAN (PVLAN) concept; how VLAN is sub-divided into isolated sub-domains and the communication between isolated ports types (Promiscuous, Isolated and community ports).
What is Private VLAN:
To begin with PVLAN, let’s look at the concept of VLAN as a broadcast domain. In general VLAN is a concept of segregating a physical network, so that separate broadcast domains can be created. Private VLANs (PVANs) will split the primary VLAN domain [also a segregated network] into multiple isolated broadcast sub-domains. It’s like the nesting concept – creating VLANs inside a VLAN. As we know, Ethernet VLANs are not allowed to communicate directly with each other; they need some Layer three (L3) devices (like router, multilayer switch.etc) to forward packets between the broadcast domains. The same concept is applicable to the PVLANS – since the sub-domains are segregated at level 2, they need to communicate using an upper level (L3 and packet forwarding) entity – such as router. In regular VLANs usually correspond to different IP subnets. But when we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but they need to use router (another L3 device) to talk to each other (for example, by means of local Proxy ARP), in turn, router may either permit or forbid communications between sub-VLANs using access-lists.
This kind of configurations commonly arises in shared environments, e.g. ISP co-location where it is beneficial to put multiple customers into the same IP subnet and provide a good level of isolation between them. Beside this it is also helpful to provide isolation at Layer 2 as a security measure.
PVLAN Port Types:
There are three types of PVLAN ports:
- Promiscuous (P) :- Usually connects to a router – a type of a port which is allowed to send and receive frames from any other port on the VLAN.
- Isolated (I) : This type of port is only allowed to communicate with P ports – they are “stub”. This type of ports usually connects to hosts.
- Community (C) : Community ports are allowed to talk to their buddies ie. Community ports.
How Private VLANs Work:
Here are the key aspects of Private VLAN functioning:
- The Primary VLAN delivers frames downstream from the Promiscuous port to all mapped hosts.
- The Isolated VLAN transports frames from the stub hosts upstream to the Promiscuous port only.
- The Community VLANs allow bi-directional frame exchange within a single group (Community), in addition to forwarding frames upstream towards “P”-ports.
- Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs.
Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with the regular VLANs, and the primary VLAN traffic is
trunked as well. However, if required to configure Private VLAN specific settings (bindings, mappings) on every participating switch, as it’s not possible to use VTPv2 to convey that information to other switches; this due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others, which can propagate PVLAN information into the VTP domain.
To discuss the working of the PVLAN let’s take a sample configuration example, we will take VLAN 200 and divide it into two PVLANs – sub-VLANs 201 and 202. Take the regular VLAN and call it primary (VLAN 200 in our example), then divide ports, assigned to this VLAN, by their types. In order to implement sub-VLAN behaviour; we need to define how packets are forwarded between different port types.
- Primary VLAN (VLAN 200 in our example): - simply the original VLAN (VLAN 200 in our example). This type of VLAN is used to forward frames downstream from Pports to all other port types (I and C ports). Primary VLAN entails all port in domain, but is only used to transport frames from router to hosts (P to I and C).
- Secondary VLANs: - which correspond to Isolated and Community port groups. They are used to transport frames in the opposite direction – from I and C ports to P-port.
- Isolated VLAN (VLAN 201 in our example): - forwards frames from I ports to P ports. Since isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port.
- Community VLANs (VLAN 202 in our example): - Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN.
How to configure Private VLANs: [configuration example is Cisco IOS based]
Let’s move to the configuration part (Primary VLAN 200, Isolated VLAN 201 and Community VLAN 202).
Step 1: Create Primary and Secondary VLANs and group them into PVLAN domain:
## Creating general VLAN and defining as Primary ##
## Creating secondary Isolated VLAN ##
## Creating secondary community VLAN ##
## Associating Primary with secondary Vlans, sub-Vlans ##
private-vlan association 201,202
Step 2: Configure host ports and bind them to the respective PVLANs [Define a private VLAN association for an isolated or community port [Binding primary-vlanid & secondary-vlan-id]. Note that a host port belongs to different VLANs at the same time; i.e. downstream primary VLAN and upstream secondary VLAN. The ports in a private VLAN domain derive their special characteristics from the VLAN pairing (secondary) they are configured with. In particular, a promiscuous port is a port that can communicate with all other private VLAN port types via the primary VLAN and any associated secondary VLANs, whereas isolated or community ports can communicate over their respective secondary VLANs only.
In the below case communication from the promiscuous port [Downstream] is via the primary Vlan 200 and the Upstream communication to the promiscuous port via secondary Vlan 201 or 202.
##Configure isolated port ##
Interface Fast Ethernet x/y
switchport mode private-vlan host
switchport private-vlan host-association 200 201
## Configure community ports ##
Interface range FastEthernet x/y - z
switchport mode private-vlan host
switchport private-vlan host-association 200 202
Step 3: Create a promiscuous port, and configure downstream mapping, for the communication from outside to downstream hosts. Here add secondary VLANs for which traffic is received by this P-port. Primary VLAN is used to send traffic downstream to all I/C ports as per their associations.
## Router port – the port connected to the router or upstream L3 device ##
interface FastEthernet x/y
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200 201 202
If we need to configure an SVI on the switch, we need to add an interface corresponding to the Primary VLAN only. That’s because of all secondary VLANs being simply “subordinates” of primary VLAN. In our case the config would look like as below:
interface Vlan 200
ip address 172.16.0.1 255.255.255.0
Hand note on Private VLAN port type and communication:
A switch with VLAN 200 converted into a PRIVATE VLAN with one P-Port, Two I-Ports in Isolated VLAN 201 (Secondary) and Two Community VLAN’s 202 and 203 (Secondary) with two ports in each. The switch has one Uplink Port (Trunk) connected to another switch and one P-Promiscuous connected to Router.
The following table shows the traffic which can flow between all the ports.
** Traffic from an Uplink port to an isolated port will be denied if it is in the Isolated VLAN. Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN.
Private VLANs and SVIs:
A switch virtual interface (SVI) is the Layer 3 interface of a Layer 2 VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN SVIs only for primary VLANs. Do not configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
- If we try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
- If we try to create an SVI on a VLAN that is configured as a secondary VLAN, and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down.
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary
VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.
Private VLAN Configuration basic Guidelines:
When configuring private VLANs consider these guidelines
- After you configure a private VLAN and set VTP to transparent mode, you are not allowed to change the VTP mode to client or server.
- You must use VLAN configuration (config-vlan) mode to configure private VLANs. You cannot configure private VLANs in VLAN database configuration mode.
- In VTP versions 1 and 2, VTP does not propagate a private VLAN configuration and you must configure private VLANs on each device where you want private VLAN ports. In VTP version 3, VTP does propagate private VLAN configurations automatically.
- Configuration of VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs in not allowed. Extended VLANs (VLAN IDs 1006 to 4094) cannot belong to private VLANs. Only Ethernet VLANs can be private VLANs.
- A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it.
- When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN, such as bridge priorities, are propagated to the secondary VLAN. However, STP parameters do not necessarily propagate to other devices. You should manually check the STP configuration to ensure that and community VLANs' spanning tree topologies match so that the VLANs can properly share the same forwarding database.
- VACLs can’t be applied to secondary VLANs.
- To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer 3 VLAN interface of the primary VLAN.
- Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to the associated isolated and community VLANs.
- Private VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk.
- All primary, isolated, and community VLANs associated within a private VLAN must maintain the same topology across trunks. It is recommended by Cisco to configure the same STP bridge parameters and trunk port parameters on all associated VLANs in order to maintain the same topology
*** Any suggestions for alterations , modifications are most welcome.