Skip navigation
Cisco Learning Home > CCIE Security Study Group > Discussions
2095 Views 24 Replies Latest reply: Jun 21, 2012 7:04 AM by simonb RSS 1 2 Previous Next

Currently Being Moderated

Private vlans

Apr 14, 2012 8:25 AM

Arul 149 posts since
Dec 9, 2010

I have a simple doubt in Private vlans concept.

The first thing is the private vlans are just for the switches right ?

 

Eventhough we isolate the ports, it can go to a router which is configured as a promiscuous port and access the isolated port, right ?

  • CiscoLoco - CCNP 956 posts since
    Feb 11, 2009
    Currently Being Moderated
    1. Apr 14, 2012 8:49 AM (in response to Arul)
    Re: Private vlans

    That is correct, private vlans are only configured on switches.  And yes, we designated ports as either ISOLATED which means they can only communicate with a promisicuous ports, as a COMMUNITY which means they can communicate with the promiscuous ports as well as other ports in the same community, and finally promisicious that can communicate with every port.

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    3. Apr 14, 2012 10:47 AM (in response to Arul)
    Re: Private vlans

    They can communicate on L3 (i.e. the router on the promiscuous port will ROUTE the packets between hosts), but not on L2.

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    5. Apr 14, 2012 10:55 AM (in response to Arul)
    Re: Private vlans

    I don't see how this is related to private VLANs, but in any case, I really don't know the answer to that. Sorry.

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

  • Elvin Arias 1,837 posts since
    Mar 12, 2010
    Currently Being Moderated
    6. Apr 14, 2012 11:02 AM (in response to Arul)
    Re: Private vlans

    The Isotaled ports inside the isolated VLAN can't communicate with each other by default. They will not talk to each other through the promiscous port, since the communication is local, and there is not need for intervention between the promiscous port, and any other local configured VLAN.

     

    There is still a workarround. Yes, you can communicate two isolated ports. You just need to enable the "ip local-proxy-arp" feature un  the promiscous interface. The switch will start to answer to ANY local communication between these two isolated ports, and they will be able to talk to each other.

     

    Elvin

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    7. Apr 14, 2012 11:03 AM (in response to Elvin Arias)
    Re: Private vlans

    There is another workaround using OSPF, but yes to make it work without a routing protocol you'll need a local proxy arp on promiscuous port.

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

  • Elvin Arias 1,837 posts since
    Mar 12, 2010
    Currently Being Moderated
    8. Apr 14, 2012 11:07 AM (in response to Marko Milivojevic)
    Re: Private vlans

    With OSPF? I didn't know that! If you show us how to do that it would be nice.

     

    Elvin

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    10. Apr 14, 2012 11:12 AM (in response to Elvin Arias)
    Re: Private vlans

    Hehehehe - run OSPF on the private VLAN segment with point-to-multipoint network type. Each router will inject /32 for its own interface and that that /32 would be readvertised by the hub (promiscuous port) with the next-hop of its own interface. Essentially, OSPF route being more specific than the one on the segment will be taken into account and no need for local proxy arp acrobatics :-).

     

    A twisted mind of a CCIE instructor ;-)

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    11. Apr 14, 2012 11:13 AM (in response to Arul)
    Re: Private vlans

    Proxy arp: It will respond with its own MAC address for queries outside the network segment the ARP was received on.

     

    Local proxy arp: It will respond with its own MAC address for all the queries, including the local network segment.

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

  • Elvin Arias 1,837 posts since
    Mar 12, 2010
    Currently Being Moderated
    12. Apr 14, 2012 11:15 AM (in response to Arul)
    Re: Private vlans

    The "ip proxy-arp" command tells to the router to answer ARP queries for things that are basically outside the network. So this is basically some kind of "help" to routers that doesn't have an explicit next-hop IP address to reach their respective destinations. You can see this behavior with a static route pointing to an interface, and not to an exit next-hop IP address.

     

    The "ip local-proxy-arp" command tells to the router to answer ARP queries for things that are basically INSIDE the local subnet. Using the private VLANs analogy from the isolated ports perspective if you are inside the isolated VLAN, and you try to ping a host inside the same isolated VLAN your promiscous/gateway will answer this request and "proxy" the request through him.

     

    Note: The "ip local-proxy-arp" only works if the "ip proxy-arp" feature is enabled. You can see this with the "show ip interface <INTERFACE>".

     

    Elvin

  • Marko Milivojevic 800 posts since
    Jun 26, 2008
    Currently Being Moderated
    14. Apr 14, 2012 11:24 AM (in response to Arul)
    Re: Private vlans

    In depends. You will get the routes in most cases, but depending on the routing protocol the actual traffic may or may not pass from isolated to isolated port. If you're using OSPF with the default broadcast network type, it won't work.

     

    --

    Marko Milivojevic - CCIE #18427 (SP R&S)

    Senior CCIE Instructor - IPexpert

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)