Private VLANs (PVLANs)

今天晚上接到一位老同事來電詢問Private VLAN相關的問題，所以我上網找了一篇比較清楚簡單的說明摘錄如下，其中最容易讓大家confused的就是Private VLAN中包含了三種port，我用比較簡單的中文列出它們之間的不同點：  

• Promiscuous - 在這種Port上通常連結的是這個VLAN中的共用設備，如Gateway或是外部Server
• Isolated - 在這種Port上通常只能連結至Promiscuous ports，如果在IDC中提供主機代管服務，為了節省IP若是不想切割子網路造成無謂的IP浪費，可以在不同客戶主機使用同一個VLAN(使用同網段IP)但是彼此之間互不相通時就很適合使用這種Port
• Community - 在這種Port的設備可以直接與相同Community Port上的其他設備互通(比方說某客戶要求三台主機代管，這三台主機使用同網段IP又要互連，但是不跟同網段其他客戶主機互連)，也可以連結至 Promiscuous ports上的Gateway或是外部Server

Private VLANs (PVLANs)

Until now, I thought PVLANs were a bit  difficult to understand and to implement, like when studying to CCNP that took me a while to digest, and I had some doubts about it, till today! Man... how simple it is, and there´s no much "magic" in that (like our friend Scott Morris usually says)!  Pretty straight-forward and no big deals! The Security VideoIPExpert is AWESOME. It´s short, informative, to the point, and solved MANY questions I´ve for a while in minutes! Man! What a nice way to do it!

So, let´s get into that:

There are tree type of Private VLANs Ports: 

• Promiscuous (P) - talk to everyone (usually connected to the exit Router, DNS, DHCP Server, NTP Server);
• Isolated (I) - only talk to Promiscuous ports;
• Community (C) - talk to others in the same Community & Promiscuous ports.

To have PVLANs configure the Switch MUST be in Transparent VTP mode, otherwise, it´ll not work. 

Just keep in mind that when you configure your switch to VTP Transparent mode, you do not loose what you´ve learned so far, you´re just not gaining anything new about the changes from now on! 

Hosts in different PVLANs are all in the same IP Subnet, BUT, they´re not able to talk to others in different community or isolated VLANs! That´s the main goal of a PVLAN, to split the VLAN domain into multiple isolated broadcast subdomains. But if one Community VLAN needs to talk to other Community VLAN?! Well... that can be done through a Router or L3 Switch. Also, you can apply some access-lists and other security features to permit only the things you want to pass through!

The best way to explain this is using an example, so check our topology, we´ll concentrate on the PVLAN ports:

There are three Community VLANs (there can be more if you want) so you put every client inside it´s own Community VLAN, avoiding that one client talk to another. That means Customer A could have a WebServer, and some other application server inside it´s own Community VLAN, and those equipments will be able to talk to each other, but they´ll NOT be able to talk to equipments in other Community or Isolated VLANs.

But, wait a minute, we´ve created one Community VLAN for each customer, and only one Isolated VLAN?! If we have more customers needing Isolated ports?! Should we create more Isolated VLANs?! The answer is NO. Isolated Ports only talks to the Promiscuous Ports and not to each other. So each customer inside an Isolated Port will be confined to this port only plus the Promiscuous Port.

First, lets go ahead and create our VLANs:

SW1 and SW2: vlan 10 private-vlan primary exit ! vlan 101 private-vlan isolated exit ! vlan 102 private-vlan community exit ! vlan 103 private-vlan community exit ! vlan 104 private-vlan community exit ! vlan 10 private-vlan association add 101-104 exit

So, VLAN10 is our  Promiscous VLAN, and it´s associated to ALL other VLANs (101, 102, 103 and 104).

Now, we´ll associate each port to it´s VLAN, check it out:

SW1: interface fa0/3 switchport mode private-vlan host switchport private-vlan host-association 10 104 ! interface fa0/4 switchport mode private-vlan host switchport private-vlan host-association 10 104 ! interface fa0/7 switchport mode private-vlan host switchport private-vlan host-association 10 102 ! interface fa0/8 switchport mode private-vlan host switchport private-vlan host-association 10 102 SW2: interface fa0/3 switchport mode private-vlan host switchport private-vlan host-association 10 101 ! interface fa0/4 switchport mode private-vlan host switchport private-vlan host-association 10 103 ! interface fa0/5 switchport mode private-vlan host switchport private-vlan host-association 10 103 ! interface fa0/2 switchport mode private-vlan promiscuous switchport private-vlan mapping  10 add 101-104

Every device MUST be associated with the promiscuous VLAN (in our case VLAN10)! Beyond that they´ll be associated with the non-promiscuous  (the isolated or community VLANs) in order to specify how those ports will behave! That´s why ALL ports are associated with VLAN10 + it´s own VLAN.

So, what can be connected in the Promiscuous VLAN?! Normally the devices that are common to everybody, and needs to talk to all VLANs, like Routers, DNS Servers, NTP Servers, DHCP Servers, and many others!

You can verify your configuration using the "show vlan" command. The info regarding PVLANs will be at the end of the output of this command.

A good advice from the IPExpert Video is that the current IOS on the LAB (12.2.25) doesn´t allow us to use switchport port-security commands and private-vlans  at the same port at the same time!  Once it hits a newer version (12.2.40) (that can happen anyday Cisco wants) we´ll be able to do that!

Ok! But... do you know that 3550 doesn´t support PVLANs?! Yep.., me neither! They´ve a feature named Switchport Protected for that, it´s really simple, and for example, if we have 15 devices in a vlan, but, only two of them are protected (with the interface command switchport protected), they can talk to everybody else, but not to each other!

So one protected device will not talk to other protected device! It works just like an isolated vlan. No unicast, multicasts, broadcasts between protected ports! 

Not that difficult, right?!