Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.
I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.
Consider please the following simple topology:
With simple InterVLAN Routing the things will be easy.
On the Layer 3 Switch you configure the following:
!! We assume that the L2 configuration, like access port in the
!! correct VLAN, is already there
!! Only the routing part will be shown here
interface vlan 10
ip address 10.10.10.254 255.255.255.255.0
interface vlan 20
ip address 18.104.22.168 255.255.255.0
On Router 1
ip route 0.0.0.0 0.0.0.0 10.10.10.254
On Router 2
ip route 0.0.0.0 0.0.0.0 22.214.171.124
That’s it, you’ll have connectivity from R1 to R2.
Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:
On L3 Switch
!! You need VTP in transparent mode
!! for Private VLANs configuration
!! Private VLANs need a Primary VLAN
private-vlan association 10,20
Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.
On L3 Switch:
description -> to R1
switchport mode private-vlan host
switchport private-vlan host-association 100 10
description -> to R2
switchport mode private-vlan host
switchport private-vlan host-association 100 20
!! We will need a port on VLAN 100;
!! Any other device may be connected to this port
description -> Other device in Primary Private-VLAN
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.
If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.
On L3 switch
!! You’ll configure a SVI interface for VLAN 100
!! This is also a private VLAN, but it is the Primary one
interface vlan 100
description -> InterVLAN routing
ip address 10.10.10.254 255.255.255.0
ip address 126.96.36.199 255.255.255.0 secondary
private-vlan mapping 10,20
All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.
3 thoughts on “InterVLAN routing using Private VLANs”
20.20.20.x is not a ‘private’ IP address plan !
Of course not. The IP addresses are just for example. Were did I say that the subnet is a “private” one. The subject of this article is Private VLANs, not private subnets…