Private VLANs have some level of mystique which is probably due to its confusing and complicated implementation. The easiest thing to understand about a Private-VLAN is the end result.
What is the purpose of private VLANs?
Private VLANs are more or less what the name implies. The illusion is that each physical access port on the network is on its very own individual VLAN. Of course this is not really the case; as that would be extremely difficult to build, and almost impossible to maintain. Instead, Private VLANs provide all the security of separate individual VLANs for your access ports, with the ease and simplicity of managing a traditional LAN.
Ports within a Private VLAN are broken up into three categories, isolated, community, and promiscuous. Hosts connected to a promiscuous port can talk to any port, including isolated and community ports. Promiscuous ports are usually reserved for router interfaces, printers and servers on the same VLAN which all clients need access to. Hosts connected to isolated ports can not communicate with anyone else on the same VLAN with the exception of promiscuous ports. Isolated ports are most commonly used in Schools, dormitories, hotels, libraries and other public locations. Hosts connected to community ports may communicate to other common community ports or promiscuous ports but may not talk to isolated ports. More on community ports later.
I am going to give an example of how to create and configure a private VLAN on a network that consists of two Cisco Catalyst 3750’s both connected to a common 6500 running CatOS with two MSFCs.
The scenario is this. A local convention center is going to be providing internet access to each booth. The network administrator wishes to keep the convention traffic separate from the administrative systems, and also ensure that the users who will be renting the booths will be protected from the users in surrounding booths.
I will start by creating a new VLAN on the 6500. This VLAN will be the Primary VLAN. Every private VLAN begins with a primary VLAN. This primary VLAN is basicly your regular VLAN, in which the isolated and community VLANs will be associated. The Primary VLAN is also the only VLAN you need to be concerned about when configuring your MSFC.
6500# (enable) set vlan 11 name Convention_Primary_VLAN pvlan-type primary
Next I will create an isolated VLAN, I know this sounds confusing but trust me, this is how it works.
6500# (enable)set vlan 111 name Convention_Isolated_VLAN pvlan-type isolated
If you plan on using a community private VLAN create it now with “pvlan-type” of “community”
Now we need to associate the isolated VLAN and any community VLANs that are created with the primary VLAN.
6500# (enable) set pvlan 11 111
Lastly we need to create a VLAN mapping for the MSFCs to allow the traffic from the isolated VLAN and any community VLANs that were created to route beyond the local subnet.
6500# (enable) set pvlan mapping 11 111 15/1
6500# (enable) set pvlan mapping 11 111 16/1
If you are running in Native IOS mode you must go to each VLAN and create a private VLAN mapping
6500# config t
6500(config)#interface vlan 11
6500(config-if)#private-vlan mapping 111
If you have not already done so, add the newly created VLANs to the trunk port interfaces that serve as the uplink to the edge switches.
6500# (enable) set trunk 3/9 11,111
6500# (enable) set trunk 3/10 11,111
If you have any access ports on the 6500 you wish to add to the private VLAN you can do so now.
6500# (enable) set pvlan 11 111 9/22
That’s it for the CatOS side. On the MSFC you will need to create a VLAN interface for the primary VLAN. No interfaces should be created for your isolated or community VLANs.
MSFC# config terminal
MSFC(config)# interface vlan 11
MSFC(config-if)# description Convention_VLAN
MSFC(config-if)# ip address 10.0.1.1 255.255.255.0
Nothing additional needs to be configured on the MSFC.
We can now turn our attention to the edge switches. In this case I am using a Cisco Catalyst 3750. We will begin by creating the primary and isolated VLANs on the switch. (note VTP mode must be “transparent” for private VLANs to function properly)
3750# config terminal
3750#(config)# vtp mode transparent
3750#(config)# vlan 11
3750#(config-vlan)# name Convention_Primary_VLAN
3750#(config-vlan)# private-vlan primary
3750#(config-vlan)# vlan 111
3750#(config-vlan)# name Convention_Isolated_VLAN
3750#(config-vlan)# private-vlan isolated
Now we must associate the isolated VLAN with the primary VLAN.
3750#(config-vlan)# vlan 11
3750#(config-vlan)# private-vlan association 111
Lastly we need to add interfaces on the switch to the private VLAN. In this case we will be adding ports 13 – 24.
3750#(config-vlan)# interface range fa1/0/13 -24
3750#(config-if-range)# switchport private-vlan host-association 11 111
3750#(config-if-range)# switchport mode private-vlan host
Duplicate this process on the second 3750 and begin testing. Begin by plugging a host into any of the isolated ports configured on the 3750. Assign an IP address or get one from a DHCP server. I will configure my first machine with the IP address of 10.0.1.5/24. Next attach a host to an isolated port on the second 3750 or the optional isolated port we configured on the 6500. Give the host an IP address, or obtain one from a DHCP server. Mine will be 10.0.1.6/24.
You can now begin testing the configuration. Start by trying to ping each host from the other. If you look at the ARP table on the each of the hosts you will notice that you are unable to ARP the other host. You can try IPX and Appletalk if you wish. The results will be the same. The only interface in the configuration above that the hosts should be able to ping is the router.
Community VLANs
Community VLANs are created the exact same way as isolated VLANs. What makes them powerful is that you can have multiple community VLANs associated with a single primary VLAN. An example of its use would be if you had a corporate P2P application and you wanted all the machines in marketing to be able to share files with each other but not with sales. You also wanted the people in sales to share files with each other but not with marketing. Community VLANs allow you to do this within the same IP subnet.
Notes
It should be said that if you are running Native IOS on your 6500 and you configure private VLANs for the first time Sticky ARP is enabled by default. Sticky ARP is a Cisco security feature designed to be used with static IP addressing to prevent ARP spoofing. This means that once an ARP entry is created on the router this entry becomes permanent until the 6500 is rebooted. This is far from ideal in a DHCP environment. You will find clients making DHCP requests, receiving DHCP offers and accepting these offers but unable to access the network because the IP address the client was assigned once belonged to a different MAC address. With that said, Sticky ARP should be disabled either globally or on the specific VLANs that you will be running Private VLANs on.
To disable Sticky Arp globally:
6500# config terminal
6500(config)#no ip sticky-arp
To disable Stick Arp on a specific VLAN
6500# config terminal
6500(config)# interface Vlan11
6500(config-if)# ip sticky-arp ignore
If you have security concerns about disabling Sticky ARP I strongly suggest you look into IP source guard which is part of Cisco’s DHCP Snooping protection. More on that later.
Update: I came across the following error the other day and thought it was note worthy since it was related to the private VLAN configuration.
%PM-SP-3-ERR_INCOMP_PORT: 9/21 is set to inactive because 9/1 is a dynamic trunk port
It seems that if you have an interface configured for a private vlan "9/21", and another interface configured as a trunk "9/1" sharing the same ASIC you will run into a similar error message. Although this is not particularly note worthy I should point out that in my configuration 9/1 is not explicitly defined as a trunking interface. In fact it was being used as an access port, not a trunk port.
So what’s the problem then?
Well all interfaces by default are configured as dynamic trunk ports. This can be seen by running the IOS command
IOS-6509# show interface trunk module 9
This will display the trunking status of the interfaces on module 9.
Port Mode Encapsulation Status Native vlan
Gi9/1 desirable negotiate other 1
For private-vlan interfaces to work properly with non-private-vlan interfaces on the same switch, within the same ASIC, dynamic trunking must be disabled on all non-private-vlan interfaces.
IOS-6509# config terminal
IOS-6509(config)# interface g9/1
IOS-6509(config-if)# switchport mode access
For instance, on a WS-X6548-GE-TX ports 1 though 24 share an ASIC. If you were to have interface 1 configured as a typical access port, and interface 2 configured for a private-vlan, you must disable dynamic trunking on port 1.
Check the configuration and make sure trunking is disabled.
IOS-6509# show interface trunk module 9
Port Mode Encapsulation Status Native vlan
Gi9/1 off 802.1q not-trunking 1