Private VLANS and protected ports
In this post we will try to learn two layer 2 technologies, private vlans and protected ports
Private vlans is used to segregate the layer 2 domain within the same vlan so we don’t waste any IP addresses, think about as sub-vlans within the same vlan that share the same layer 3 address. These sub-vlans can be of two kinds 1- Community
2- Isolated
The difference between community and isolated sub-vlans that hosts within community vlan can communicate together however hosts within isolated vlans con’t communicate to each others, also note that hosts from different community vlans can’t communicate/isolated vlans can’t communicate together. The question is how these hosts in community/isolated vlans communicate to the outside world, and the answer is they communicate through the promiscuous port which is part of parent vlan but this port is allowed to communicate to all sub-vlans whether community or isolated
In our setup, we have 2 switches running a trunk port between them, R1 represents the gateway for that vlan 100 and subnet 10.1.100.0/24
Vlan 23 is a community vlan so R2 and R3 should be able to communicate together
Vlan 45 is isolated vlan so R4 and R5 will not be able to communicate together
R6 is part of the parent vlan 100 but not configured with private vlan configurations
R1 will be configured as the promiscuous port for this vlan 100 and its sub-vlans
before we start configuring our private vlans, we want to make sure that we have connectivity between all hosts so we can see the difference between and after the configurations
so From R1
| R1#ping 10.1.100.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#ping 10.1.100.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R1#ping 10.1.100.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#ping 10.1.100.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds: !!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms |
so now let’s configure our switches
on Sw1
| SW1(config)#vlan 100 SW1(config-vlan)#private-vlan primary %Private VLANs can only be configured when VTP is in transparent mode. |
As you guys can see because the switch is in VTP server mode we received this error message, private vlans are only supported in transparent mode, so now let’s fix this and continue
on both SW1 and SW2
| vlan 100 private-vlan primary private-vlan association 23,45 ! vlan 23 private-vlan community ! vlan 45 private-vlan isoalted |
our first part of configuration is completed, we have created the primary vlan 100 , associated the sub-vlans and defined the sub-vlans typed (community and isolated)
Now we need to configure the individual switch interfaces
on SW1
| interface FastEthernet0/1 switchport access vlan 100 switchport private-vlan mapping 100 23,45 switchport mode private-vlan promiscuous ! interface FastEthernet0/3 switchport access vlan 100 switchport private-vlan host-association 100 23 switchport mode private-vlan host ! interface FastEthernet0/5 switchport access vlan 100 switchport private-vlan host-association 100 45 switchport mode private-vlan host |
on SW2
| interface FastEthernet0/2 switchport access vlan 100 switchport private-vlan host-association 100 23 switchport mode private-vlan host interface FastEthernet0/4 switchport access vlan 100 switchport private-vlan host-association 100 45 switchport mode private-vlan host |
Note how on SW1 the promiscuous port f0/1 was associated with both sub-vlans so R1 can communicate with all hosts in different sub-vlans
now let’s test our configuration
R2 and R3 are in community vlan so they should be able to communicate between them and with R1 but not with any other host
| R2(config)#do p 10.1.100.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2(config)#do p 10.1.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2(config)#do p 10.1.100.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)#do p 10.1.100.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)# |
R4 and R5 are in isolated vlan so they should be able to communicate with R1 only
| R2(config)#do p 10.1.100.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2(config)#do p 10.1.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R2(config)#do p 10.1.100.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)#do p 10.1.100.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R2(config)# |
Since R6 switch port wasn’t configured with any private vlan configuration, R6 should not be able to communicate with R1 or any other host
| R6(config-if)#do p 10.1.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds: ..... |
however if we have SVI interfaces configured in these switches, communications should still be available with the promiscuous port
| SW1(config)#interf vlan 100 SW1(config-if)#ip address 10.1.100.101 255.255.255.0 SW2(config)#interf vlan 100 SW2(config-if)#ip address 10.1.100.102 255.255.255.0 |
and from R1
| R1#ping 10.1.100.101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.101, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#ping 10.1.100.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.102, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms |
However from R6
| R6(config-if)#do p 10.1.100.101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.101, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R6(config-if)#do p 10.1.100.102 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.102, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) |
Protected Ports:
Protected ports provides something similar to private vlans but without the flexibility that we get with the private vlans
Protected ports are just isolated ports on the same switch where two protected ports can’t communicate with each other but can communicate with all other hosts on the same vlan
Protected ports functionality can’t be spanned across multiple switches
So in our setup we will revert back to the default configurations and all switch ports will be configured as static access vlan 100
F0/1 and F0/3 on SW1 are configured as protected
F0/2 and F0/6 on SW2 are configured as protected
SW1
| interface FastEthernet0/1 switchport access vlan 100 switchport protected ! interface FastEthernet0/3 switchport access vlan 100 switchport protected |
SW2
| interface FastEthernet0/2 switchport access vlan 100 switchport protected ! interface FastEthernet0/6 switchport access vlan 100 switchport protected |
Now let’s test the configuration from R1
| R1#ping 10.1.100.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#ping 10.1.100.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#ping 10.1.100.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms |
Although F0/2 is configured as protected port on SW2 I was able to reach R2 from R1 because they are on different switches
Comments
Post a Comment