Private VLAN Concepts and Configuration
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
A VLAN in its normal application can be a very useful tool for any organization looking to secure and isolate different parts of the network. It gives an easily configurable option when switches exist in a network with ports that must be virtually isolated from each other. It also offers the ability to limit the size of the broadcast domains in the network; this by itself is worth its implementation. A private VLAN offers another level of security that enables an organization to further secure VLAN ports. This article takes a look at this feature, its functionality and how it can be configured on Cisco equipment.
Private VLAN Concepts
As stated above, the private VLAN concept extends on the traditional VLAN. A traditional VLAN allows an organization the ability to isolate different physical parts of a switched network into virtual isolation. For VLANs to forward traffic to each other, a Layer 3 device must be involved. This enables the organization the ability to limit the broadcast domain and to provide an easy point of security configuration. For example, if only specific VLANs need to forward traffic to each other, this can be easily configured at the Layer 3 device. The private VLAN concept extends on this ability and defines a couple of different "sub" VLAN types that enable different functionality.
These different "sub" VLAN types include:
Primary VLAN
- Primary VLAN—This VLAN acts as the master in a Master-Slave relationship with a secondary VLAN type; this "pairing" enables different functional possibilities.
Secondary VLANs
- Isolated VLAN—The ports assigned with this VLAN type cannot communicate with other members in the same isolated VLAN (at Layer 2); they are only allowed to send traffic to their primary VLAN.
- Community VLAN—The ports assigned with this VLAN can communicate with other members in the same community VLAN (at Layer 2) and with the primary VLAN; but are not allowed to communicate (at Layer 2) with members of other community VLANs.
To take advantage of private VLANs, they must be implemented on a switch and its switchports. Each of these switchports is configured with a specific private VLAN port type that enables this functionality.
These different private VLAN port types include:
- Promiscuous Ports—These ports belong to the primary VLAN and are permitted to communicate with all isolated and community ports that are associated with it.
- Isolated Ports—These ports belong to an isolated VLAN and are permitted to only communicate with the promiscuous ports. No communication is permitted between any other ports (at Layer 2), including members of the same isolated VLAN.
- Community Ports—These ports belong to a community VLAN and are permitted to communicate with other community ports in the same community VLAN and with promiscuous ports.
So why bother to add this configuration? There are a couple of different situations where this feature is very useful.
For example, when a service provider has many customers and wants to ensure that they cannot directly communicate at Layer 2, they must assign a VLAN to each customer. The problem that can quickly occur is that the number of VLANs available is exceeded. When using private VLANs each of the customers could belong to an isolated VLAN, this enables the service provider the ability to use the same IP address range and VLAN for all customers while also isolating them from each other at Layer 2. Another option could be when a customer uses multiple ports; each of these ports could be configured in the same community VLAN and be allowed to communicate at Layer 2.
These are just a few of the possible configurations that can be used; a creative engineer could use them in a number of different situations.
Private VLAN Configuration
The configuration of the private VLAN feature is not overly complicated as long as you have a solid understanding of the basic functionality exists.
The first thing to configure is the VLANs themselves; this includes associating them with specific private VLAN “sub” types. Table 1 below shows the different commands required to perform this association.
Table 1
|
Step 1 |
Enter privileged mode |
router>enable |
|
Step 2 |
Enter global configuration mode |
router#configure terminal |
|
Step 3 |
Configure VTP Transparent Mode. Private VLANs only work when VTP functionality is disabled |
router(config)#vtp mode transparent |
|
Step 4 |
Enter VLAN configuration mode for the secondary VLAN. |
router(config)#vlan vlan-id |
|
Step 5 |
Configure the VLAN as a private secondary VLAN |
router(config-vlan)#private-vlan [isolated | community] |
|
Step 6 |
Enter VLAN configuration mode for the primary VLAN |
router(config-vlan)#vlan vlan-id |
|
Step 7 |
Configure the VLAN as a private primary VLAN |
router(config-vlan)#private-vlan primary |
|
Step 8 |
Associate the primary VLAN with secondary VLANs The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed. |
router(config-vlan)#private-vlan association [add | remove] secondary-vlan-list |
The second step involves configuring interfaces into a specific private VLAN port type and associating it with a private and secondary VLAN(s). How this is done depends on whether the interface is going to be a host interface (secondary) or a promiscuous interface (primary). The steps that are required for host interface configuration are shown in Table 2.
Table 2
|
Step 1 |
Enter privileged mode |
router>enable |
|
Step 2 |
Enter global configuration mode |
router#configure terminal |
|
Step 3 |
Enter interface configuration mode. |
router(config)#interface interface-id |
|
Step 4 |
Configure the interface as a host interface. |
router(config-if)#switchport mode private-vlan host |
|
Step 5 |
Associate the interface with a primary and secondary VLAN |
router(config-if)#switchport private-vlan host-association primary-vlan secondary-vlan |
The Steps that are required for promiscuous interface configuration are shown in Table 3.
Table 3
|
Step 1 |
Enter privileged mode |
router>enable |
|
Step 2 |
Enter global configuration mode |
router#configure terminal |
|
Step 3 |
Enter interface configuration mode. |
router(config)#interface interface-id |
|
Step 4 |
Configure the interface as a promiscuous interface |
router(config-if)#switchport mode private-vlan promiscuous |
|
Step 5 |
Associate the interface with a primary vlan and all secondary vlans The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed. |
router(config-if)#switchport private-mode mapping primary-vlan [add | remove] secondary-vlan-list |
Communication is often required outside of a specific VLAN. With private VLANs, a Layer 3 SVI (Layer 3—Switch Virtual Interface) can be used to provide this functionality. As with the Layer 2 configurations above, the SVI must be configured and then mapped to all appropriate VLANs. The configuration required to accomplish this functionality is shown in Table 4.
Table 4
|
Step 1 |
Enter privileged mode |
router>enable |
|
Step 2 |
Enter global configuration mode |
router#configure terminal |
|
Step 3 |
Enter VLAN (SVI) interface configuration mode. |
router(config)#interface vlan primary-vlan-id |
|
Step 4 |
Associate the secondary VLANs with the SVI. The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed. |
router(config-if)#private-vlan mapping [add | remove ] secondary-vlan-list |
Summary
The private VLAN feature provides the ability to efficiently utilize VLANs as well as provide another level of Layer 2 security. In situations where this additional VLAN flexibility would be useful the private VLAN feature can be invaluable. Hopefully, this article has given a good overview of what is possible with the private VLAN feature and can be successfully implemented in any situation where it can be useful.