1 2 Previous Next 24 Replies Latest reply: Jun 21, 2012 7:04 AM by simonb RSS

    Private vlans

    Arul

      I have a simple doubt in Private vlans concept.

      The first thing is the private vlans are just for the switches right ?

       

      Eventhough we isolate the ports, it can go to a router which is configured as a promiscuous port and access the isolated port, right ?

        • 1. Re: Private vlans
          CiscoLoco - CCNP

          That is correct, private vlans are only configured on switches.  And yes, we designated ports as either ISOLATED which means they can only communicate with a promisicuous ports, as a COMMUNITY which means they can communicate with the promiscuous ports as well as other ports in the same community, and finally promisicious that can communicate with every port.

          • 2. Re: Private vlans
            Arul

            Hi CiscoLoco

             

            If that promiscuous port is a router, then the isolated ports can talk to each other right ?

             

            I mean the isolated port will reach the promiscuous port in the router and the router will route the traffic and send it to the another isolated port. Now it defeats the whole purpose of Isolation, right ?

             

            Please explain.

            • 3. Re: Private vlans
              Marko Milivojevic

              They can communicate on L3 (i.e. the router on the promiscuous port will ROUTE the packets between hosts), but not on L2.

               

              --

              Marko Milivojevic - CCIE #18427 (SP R&S)

              Senior CCIE Instructor - IPexpert

              • 4. Re: Private vlans
                Arul

                HI Marko

                 

                Do you know how to download a Webex recorded videos ? I have a link to a video and my player hangs at buffering. Please help me with the downloading options.

                 

                Thanks

                • 5. Re: Private vlans
                  Marko Milivojevic

                  I don't see how this is related to private VLANs, but in any case, I really don't know the answer to that. Sorry.

                   

                  --

                  Marko Milivojevic - CCIE #18427 (SP R&S)

                  Senior CCIE Instructor - IPexpert

                  • 6. Re: Private vlans
                    Elvin Arias

                    The Isotaled ports inside the isolated VLAN can't communicate with each other by default. They will not talk to each other through the promiscous port, since the communication is local, and there is not need for intervention between the promiscous port, and any other local configured VLAN.

                     

                    There is still a workarround. Yes, you can communicate two isolated ports. You just need to enable the "ip local-proxy-arp" feature un  the promiscous interface. The switch will start to answer to ANY local communication between these two isolated ports, and they will be able to talk to each other.

                     

                    Elvin

                    • 7. Re: Private vlans
                      Marko Milivojevic

                      There is another workaround using OSPF, but yes to make it work without a routing protocol you'll need a local proxy arp on promiscuous port.

                       

                      --

                      Marko Milivojevic - CCIE #18427 (SP R&S)

                      Senior CCIE Instructor - IPexpert

                      • 8. Re: Private vlans
                        Elvin Arias

                        With OSPF? I didn't know that! If you show us how to do that it would be nice.

                         

                        Elvin

                        • 9. Re: Private vlans
                          Arul

                          Now what is the difference between local proxy arp and just proxy arp ?

                           

                          ip local-proxy-arp

                          ip proxy-arp

                           

                          Please explain

                          Thanks

                          • 10. Re: Private vlans
                            Marko Milivojevic

                            Hehehehe - run OSPF on the private VLAN segment with point-to-multipoint network type. Each router will inject /32 for its own interface and that that /32 would be readvertised by the hub (promiscuous port) with the next-hop of its own interface. Essentially, OSPF route being more specific than the one on the segment will be taken into account and no need for local proxy arp acrobatics :-).

                             

                            A twisted mind of a CCIE instructor ;-)

                             

                            --

                            Marko Milivojevic - CCIE #18427 (SP R&S)

                            Senior CCIE Instructor - IPexpert

                            • 11. Re: Private vlans
                              Marko Milivojevic

                              Proxy arp: It will respond with its own MAC address for queries outside the network segment the ARP was received on.

                               

                              Local proxy arp: It will respond with its own MAC address for all the queries, including the local network segment.

                               

                              --

                              Marko Milivojevic - CCIE #18427 (SP R&S)

                              Senior CCIE Instructor - IPexpert

                              • 12. Re: Private vlans
                                Elvin Arias

                                The "ip proxy-arp" command tells to the router to answer ARP queries for things that are basically outside the network. So this is basically some kind of "help" to routers that doesn't have an explicit next-hop IP address to reach their respective destinations. You can see this behavior with a static route pointing to an interface, and not to an exit next-hop IP address.

                                 

                                The "ip local-proxy-arp" command tells to the router to answer ARP queries for things that are basically INSIDE the local subnet. Using the private VLANs analogy from the isolated ports perspective if you are inside the isolated VLAN, and you try to ping a host inside the same isolated VLAN your promiscous/gateway will answer this request and "proxy" the request through him.

                                 

                                Note: The "ip local-proxy-arp" only works if the "ip proxy-arp" feature is enabled. You can see this with the "show ip interface <INTERFACE>".

                                 

                                Elvin

                                • 13. Re: Private vlans
                                  Arul

                                  With any routing protocol enabled will forward the traffic from one isolated port to another isolated port, right ?

                                  • 14. Re: Private vlans
                                    Marko Milivojevic

                                    In depends. You will get the routes in most cases, but depending on the routing protocol the actual traffic may or may not pass from isolated to isolated port. If you're using OSPF with the default broadcast network type, it won't work.

                                     

                                    --

                                    Marko Milivojevic - CCIE #18427 (SP R&S)

                                    Senior CCIE Instructor - IPexpert

                                    1 2 Previous Next