Private VLANs is one possible solutions for service providers to offer secure connections to their customers and avoid inter-vlan communication in the same switched environment.
I’m sure that you heard (and most probably practice already) InterVLAN routing. When it comes to Private VLANs the routing part may be a bit tricky. Keep in mind that this is not something that I would recommend to use as a standard in a productive environment, but for things like Cisco exams (e.g. CCIE R&S) or last resort solution, it may work.
Consider please the following simple topology:
[adsense_id=”1″]
With simple InterVLAN Routing the things will be easy.
On the Layer 3 Switch you configure the following:
!! We assume that the L2 configuration, like access port in the
!! correct VLAN, is already there
!! Only the routing part will be shown here
configure terminal
!
ip routing
!
vlan 10
!
vlan 20
!
interface vlan 10
ip address 10.10.10.254 255.255.255.255.0
!
interface vlan 20
ip address 20.20.20.254 255.255.255.0
!
On Router 1
!
ip route 0.0.0.0 0.0.0.0 10.10.10.254
On Router 2
!
ip route 0.0.0.0 0.0.0.0 20.20.20.254
That’s it, you’ll have connectivity from R1 to R2.
Now let’s assume that VLAN 10 and 20 are not regular VLANs, but Private ones configured as Secondary, community mode:
On L3 Switch
!! You need VTP in transparent mode
!! for Private VLANs configuration
configure terminal
!
vlan 10
private-vlan community
!
vlan 20
private-vlan community
!
!! Private VLANs need a Primary VLAN
vlan 100
private-vlan primary
private-vlan association 10,20
!
Up to now we have one Primary VLAN (100) and two Secondary ones (10 and 20) associated with primary. Next we will configure the physical ports in their specific VLAN.
On L3 Switch:
!
configure terminal
!
int x/y
description -> to R1
switchport mode private-vlan host
switchport private-vlan host-association 100 10
!
int z/w
description -> to R2
switchport mode private-vlan host
switchport private-vlan host-association 100 20
!
!! We will need a port on VLAN 100;
!! Any other device may be connected to this port
int x/x
description -> Other device in Primary Private-VLAN
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
!
In a standard environment with Private-VLANs, until now we will have L2 communication possible between hosts in VLAN100 with hosts in VLAN10 or VLAN20. Communication between hosts in VLAN10 and hosts in VLAN20 will not be possible because the ports are in Private-Vlan community mode. Just a small reminder in community mode, the L2 connection is possible in the same VLAN or with the Primary VLAN.
If now you would like to implement the InterVLAN routing presented above, you will see that is not possible. When you will try to bring up a SVI interface for VLAN 10 or 20 an error will occur stating the VLAN is in Private-VLAN mode community and you cannot configure an interface. Let’s see how can we fix this.
On L3 switch
!
Configure terminal
!
ip routing
!! You’ll configure a SVI interface for VLAN 100
!! This is also a private VLAN, but it is the Primary one
interface vlan 100
description -> InterVLAN routing
ip address 10.10.10.254 255.255.255.0
ip address 20.20.20.254 255.255.255.0 secondary
private-vlan mapping 10,20
All you have to do now is add the routing part on R1 and R2 and they will be able to communicate. VLAN 100 will handle the routing part.
[adsense_id=”4″]