Private VLANS and protected ports

image

In this post we will try to learn two layer 2 technologies, private vlans and protected ports

Private vlans is used to segregate the layer 2 domain within the same vlan so we don’t waste any IP addresses, think about as sub-vlans within the same vlan that share the same layer 3 address. These sub-vlans can be of two kinds                      1- Community

2- Isolated

The difference between community and isolated sub-vlans that hosts within community vlan can communicate together however hosts within isolated vlans con’t communicate to each others, also note that hosts from different community vlans can’t communicate/isolated vlans can’t communicate together. The question is how these hosts in community/isolated vlans communicate to the outside world, and the answer is they communicate through the promiscuous port which is part of parent vlan but this port is allowed to communicate to all sub-vlans whether community or isolated

In our setup, we have 2 switches running a trunk port between them, R1 represents the gateway for that vlan 100 and subnet 10.1.100.0/24

Vlan 23 is a community vlan so R2 and R3 should be able to communicate together

Vlan 45 is isolated vlan so R4 and R5 will not be able to communicate together

R6 is part of the parent vlan 100 but not configured with private vlan configurations

R1 will be configured as the promiscuous port for this vlan 100 and its sub-vlans

before we start configuring our private vlans, we want to make sure that we have connectivity between all hosts so we can see the difference between and after the configurations

so From R1

R1#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

so now let’s configure our switches

on Sw1

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
%Private VLANs can only be configured when VTP is in transparent mode.

As you guys can see because the switch is in VTP server mode we received this error message, private vlans are only supported in transparent mode, so now let’s fix this and continue

on both SW1 and SW2

vlan 100
private-vlan primary
private-vlan association 23,45
!
vlan 23
private-vlan community
!
vlan 45
private-vlan isoalted

our first part of configuration is completed, we have created the primary vlan 100 , associated the sub-vlans and defined the sub-vlans typed (community and isolated)

Now we  need to configure the individual switch interfaces

on SW1

interface FastEthernet0/1
 switchport access vlan 100
 switchport private-vlan mapping 100 23,45
 switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
 switchport access vlan 100
 switchport private-vlan host-association 100 23
 switchport mode private-vlan host
!
interface FastEthernet0/5
switchport access vlan 100
switchport private-vlan host-association 100 45
switchport mode private-vlan host

on SW2

interface FastEthernet0/2
 switchport access vlan 100
 switchport private-vlan host-association 100 23
 switchport mode private-vlan host

interface FastEthernet0/4
 switchport access vlan 100
 switchport private-vlan host-association 100 45
 switchport mode private-vlan host

Note how on SW1 the promiscuous port f0/1 was associated with both sub-vlans so R1 can communicate with all hosts in different sub-vlans

now let’s test our configuration

R2 and R3 are in community vlan so they should be able to communicate between them and with R1 but not with any other host

R2(config)#do p 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#do p 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#do p 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do p 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#

R4 and R5 are in isolated vlan so they should be able to communicate with R1 only

R2(config)#do p 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#do p 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R2(config)#do p 10.1.100.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#do p 10.1.100.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2(config)#

Since R6 switch port wasn’t configured with any private vlan configuration, R6 should not be able to communicate with R1 or any other host

R6(config-if)#do p 10.1.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.1, timeout is 2 seconds:
.....

however if we have SVI interfaces configured in these switches, communications should still be available with the promiscuous port

SW1(config)#interf vlan 100
SW1(config-if)#ip address 10.1.100.101 255.255.255.0

SW2(config)#interf vlan 100
SW2(config-if)#ip address 10.1.100.102 255.255.255.0

and from R1

R1#ping 10.1.100.101

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.1.100.102

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.102, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

However from R6

R6(config-if)#do p 10.1.100.101

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.101, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6(config-if)#do p 10.1.100.102

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.102, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

Protected Ports:

Protected ports provides something similar to private vlans but without the flexibility that we get with the private vlans

Protected ports are just isolated ports on the same switch where two protected ports can’t communicate with each other but can communicate with all other hosts on the same vlan

Protected ports  functionality can’t be spanned across multiple switches

So in our setup we will revert back to the default configurations and all switch ports will be configured as static access vlan 100

F0/1 and F0/3 on SW1 are configured as protected

F0/2 and F0/6 on SW2 are configured as protected

SW1

interface FastEthernet0/1
 switchport access vlan 100
 switchport protected
!
interface FastEthernet0/3
 switchport access vlan 100
 switchport protected

SW2

interface FastEthernet0/2
 switchport access vlan 100
 switchport protected
!
interface FastEthernet0/6
 switchport access vlan 100
 switchport protected

Now let’s test the configuration from R1

R1#ping 10.1.100.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ping 10.1.100.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 10.1.100.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Although F0/2 is configured as protected port on SW2 I was able to reach R2 from R1 because they are on different switches

Comments

Post a Comment

Popular posts from this blog

BPDU Filter vs BPDU Guard

        Today we will try to explore the difference between these 2 options, BPDU guard and BPDU filter We know that BPDU are used to communicate between switches in L2 networks  to ensure loop free topology. BPDU Guard is used to protect our access (or trunks incase of servers) ports from receiving undesired BPDU packets, this feature is helpful in enforcing your network boundary in access layer BPDU Guard can be enabled on global configuration as well as under the interface configuration BPDU Filter on the other hand is used to filter BPDU packets outbound when configured  in global configuration (after sending 11 BPDU out ) and will filter BPDU inbound/outbound when configured under the interface level To better understand these two features, let’s use this simple topology R1 is connected to SW1 through F0/0 to have R1 send and receive BPDU we will simple configure bridging group 1 on the router and we will join the bridge group when desired to test our configuration BPDU
Read more

BGP Weight Attribute

Image
Before we start the lab let's see the BGP path selection process If the path specifies a next hop that is inaccessible, drop the update. •Prefer the path with the highest weight. •If the weights are the same, prefer the path with the largest local preference. •If the local preferences are the same, prefer the path that was originated by BGP running on this router. •If no route was originated, prefer the route that has the shortest AS_path. •If all paths have the same AS_path length, prefer the path with the lowest origin code (where IGP is lower than EGP, and EGP is lower than incomplete). •If the origin codes are the same, prefer the path with the lowest MED attribute. •If the paths have the same MED, prefer the external path over the internal path. •If the paths are still the same, prefer the path through the closest IGP neighbor. •Prefer the path with the lowest IP address, as specified by the BGP router ID. I read this on CCIE Pursuit blog We Love Oranges As O
Read more

OSPF–Point To Multipoint Non-Broadcast

Image
Using same setup that we have been using in the last 3 posts, we will change the network type to point-to-multipoint Non-Broadcast we will also add a Ethernet link between R2 and R3 and enable OSPF on it Our final configuration should be something like this R1 interface Serial0/0   no ip address   encapsulation frame-relay   no frame-relay inverse-arp ! interface Serial0/0.123 multipoint   ip address 10.1.123.1 255.255.255.0   ip ospf network point-to-multipoint non-broadcast   ip ospf 1 area 0   frame-relay map ip 10.1.123.2 102   frame-relay map ip 10.1.123.3 103 !          router ospf 1   router-id 1.1.1.1   log-adjacency-changes   neighbor 10.1.123.2   neighbor 10.1.123.3 R2 interface Serial0/0   no ip address   encapsulation frame-relay   no frame-relay inverse-arp ! interface Serial0/0.123 multipoint   ip address 10.1.123.2 255.255.255.0   ip ospf network point-to-multipoint non-broadcast   ip ospf 1 area 0   frame-relay map ip 10.1.123.1 201 R3 interface
Read more