Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.

I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.

Consider please the following simple topology:

[adsense_id=”1″]

With simple InterVLAN Routing the things will be easy.

On the Layer 3 Switch you configure the following:

!! We assume that the L2 configuration, like access port in the

!! correct VLAN, is already there

!! Only the routing part will be shown here

configure terminal

!

ip routing

!

vlan 10

!

vlan 20

!

interface vlan 10

ip address 10.10.10.254 255.255.255.255.0

!

interface vlan 20

ip address 20.20.20.254 255.255.255.0

!

On Router 1

!

ip route 0.0.0.0 0.0.0.0 10.10.10.254

On Router 2

!

ip route 0.0.0.0 0.0.0.0 20.20.20.254

That’s it, you’ll have connectivity from R1 to R2.

Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:

On L3 Switch

!! You need VTP in transparent mode

!! for Private VLANs configuration

configure terminal

!

vlan 10

private-vlan community

!

vlan 20

private-vlan community

!

!! Private VLANs need a Primary VLAN

vlan 100

private-vlan primary

private-vlan association 10,20

!

Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.

On L3 Switch:

!

configure terminal

!

int x/y

description -> to R1

switchport mode private-vlan host

switchport private-vlan host-association 100 10

!

int z/w

description -> to R2

switchport mode private-vlan host

switchport private-vlan host-association 100 20

!

!! We will need a port on VLAN 100;

!! Any other device may be connected to this port

int x/x

description -> Other device in Primary Private-VLAN

switchport mode private-vlan promiscuous

switchport private-vlan mapping 100 10,20

!

In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.

If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.

On L3 switch

!

Configure terminal

!

ip routing

!! You’ll configure a SVI interface for VLAN 100

!! This is also a private VLAN, but it is the Primary one

interface vlan 100

description -> InterVLAN routing

ip address 10.10.10.254 255.255.255.0

ip address 20.20.20.254 255.255.255.0 secondary

private-vlan mapping 10,20

All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.

[adsense_id=”4″]

Share me: Twitter

Reddit

LinkedIn

Facebook

More

Pinterest

Pocket



Tumblr

Email



Skype

Telegram



WhatsApp

Print



