Private VLAN Configuration

Private VLAN Configuration

For those reading this article without an understanding of the concepts behind private VLANs, check out the private VLAN concepts article. This article takes a look at what is required to configure private VLANs on Cisco equipment.

The first thing that needs to be reviewed is how the concepts of primary, community and isolated VLANs translate to a physical implementation of private VLANs. Switchports that are going to be used by the private VLAN feature are separated into three different categories: Promiscuous, Community, and Isolated. A promiscuous switchport is able to see the traffic from all other promiscuous switchports as well as all secondary switchport types (community and isolated). If the reader has just come from the private VLANs concepts article, the switchports assigned as promiscuous exist within the primary VLAN and map to the secondary VLANs.

First Phase: VLAN Configuration

The first phase in private VLAN configuration is to set up the VLANs that will be used and assign them to a specific type. It is important to note that one caveat to using the private VLAN feature is it is not compatible with the Virtual Trunking Protocol (VTP); due to this the first thing that must be done is to configure the switch into VTP transparent mode.

Enter privileged mode. router>enable
Enter global configuration mode router#configure terminal
Configure VTP Transparent Mode. router(config)#vtp mode transparent

The next step is to configure the VLANs as specific private VLAN types.

Enter VLAN configuration mode for the secondary VLAN. router(config)#vlan vlan-id
Configure the VLAN as a private secondary VLAN. router(config-vlan)#private-vlan [isolated | community]
Enter VLAN configuration mode for the primary VLAN. router(config-vlan)#vlan vlan-id
Configure the VLAN as a primary VLAN. router(config-vlan)#private-vlan primary

Once all of the VLANs have been configured, the primary and secondary VLANs must be associated together.

Associate the primary VLAN with secondary VLANs.

The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.

router(config-vlan)#private-vlan association [add | remove] secondary-vlan-list

Second Phase: Switchport Configuration

The second phase involves the configuration of the physical switchports, what type of private VLAN they are and how they are associated with the VLANs. This article will show the configuration of the switchports assigned to the secondary private VLANs first.

The first thing to do is to configure the switchport as a host (this includes community and isolated switchports).

Enter interface configuration mode. router(config-vlan)#interface interface-id
Configure the interface as a host interface. router(config-if)#switchport mode private-vlan host

The next thing to do is associate the switchport with the primary and secondary VLANs that were configured in the previous section.

Associate the interface with a primary and secondary VLAN router(config-if)#switchport private-vlan host-association primary-vlan secondary-vlan

The configuration of the switchports in the primary VLAN now has to be completed.

Enter interface configuration mode. router(config-if)#interface interface-id
Configure the interface as a promiscuous interface router(config-if)#switchport mode private-vlan promiscuous

This switchport then has to be mapped to all of the associated primary and secondary VLANs.

Associate the interface with a primary VLAN and all secondary VLANs

The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.

router(config-if)#switchport private-mode mapping primary-vlan {add | remove} secondary-vlan-list

This completes the layer-2 configuration of private VLANs; if only layer-2 connectivity is required then the next section is not required.

Third Phase: Layer-3 Connectivity

As with a normal VLAN, private VLANs will only allow communications within the configured VLANs (according to the private VLAN rules), but to speak to devices outside this VLAN structure a layer-3 device is required. In many situations, this layer-3 functionality is also provided by the switch (assuming this is a layer-3 capable switch). This section shows the additional configuration that is required to have the switch provide layer-3 functionality to the switchports configured with the private VLAN feature.

This additional configuration is simple and just adds a single configuration command to the primary VLAN interface.

Enter VLAN (SVI) interface configuration mode. router(config)#interface vlan primary-vlan-id
Associate the secondary VLANs with the SVI.

The secondary-vlan-list parameter is typically a range (using ‘-‘) or a comma separated list. No spaces are allowed.

router(config-if)#private-vlan mapping {add | remove} secondary-vlan-list

Summary

Once an engineer has a firm understanding of private VLAN concepts it is rather simple to translate this understanding to the configuration portion of private VLANs. There are a number of different applications for the private VLAN feature that an engineer can take advantage of, and hopefully these two articles will make it easier to understand how they can be put to use.

0
 in Cisco

Comments