Introduction to Private VLANs

by Tony Mattke on June 1, 2010



The concepts behind Private VLANs are in fact rather simple, but it is quite easy to get discombobulated in the details. In their simplest form, PVLANs can dissociate ports within a PVLAN as if they were on separate VLANS, but still allow them to communicate with a common default gateway. i.e. these ports share a subnet, but can be prevented from communicating to each other.

In order to accomplish this we split our VLAN into sub-VLANS and classify these into one of three groups depending on how we want to segregate traffic. These groups are as follows.

  • Promiscuous / P-port: This port type is allowed to send and receive from any other port on the VLAN. Typically this would be connected to a router.
  • Isolated/ I-port: This type of port is only allowed to communicate with promiscuous ports, they are not only isolated from community ports, but other isolated ports. You commonly see these ports connecting to hosts.
  • Community / C-port: Can only communicate with other C-ports and P-ports.

In our example we’re using VLAN 100 as our primary VLAN. Our host machines will be setup on VLAN 101 which will be configured as Isolated. Our servers will be configured as Community ports on VLAN 102. Essentially, once established, VLAN 100 will forward frames from P-ports to I and C-ports. VLAN 101 and 102 are considered secondary VLANs.

Configuration

Our first steps here are to configure the primary and secondary vlans. Each vlan is configured using the VLAN configuration command private-vlan [type]. Once configured, we head back to the primary VLAN and bind the secondary vlans to it using the private-vlan association [vlan list] command.

SW1(config)#vlan 100
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#vlan 101
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 102
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 100
SW1(config-vlan)#private-vlan association 101,102

Now, we need to bind our switch ports to their respective PVLANs. Please note that a host port belongs to multiple VLANs at the same time: downstream primary and upstream (isloated/community/promiscuous) secondary.

SW1(config)#interface fa0/10
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 100 101
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 100 101
SW1(config-if)#interface fa0/20
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 100 102
SW1(config-if)#interface fa0/21
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 100 102
SW1(config-if)#interface fa0/1
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 100 add 101,102

And finally our verification. 

SW1#sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ---------------------
100      101        isolated          Fa0/10, Fa0/11, Fa0/1
100      102        community         Fa0/20, Fa0/21, Fa0/1

SW1#sh vlan private-vlan type

Vlan Type
---- -----------------
100   primary
101   isolated
102   community

Other Considerations

You can do trucking with PVLANS, the secondary VLAN numbers would be used to tag the frames, just as with a regular VLAN. Although, you would need to configure matching PVLAN settings on each switch. Using VTP is highly debated as is, adding Private VLANS just adds to the mess.

If you do attempt to use VTP, be aware that VTPv2 is incompatible. VTPv3 has been updated to be compatible with Private VLANs.

If you need to configure an SVI, you should add an interface corresponding to Primary VLAN only. After createing the SVI, you will have to map the secondary VLANs to it. You can exclude some mappings from the SVI interface, in order to limit it’s communications with those secondary VLANs. An example configuration would look something like this.

interface vlan 100
 ip address 10.1.0.1 255.255.255.0
 private-vlan mapping 101,102

There is one more feature I would like to discuss that happens to be available even on lower-end Cisco switches called protected port . While this feature is rather basic, it is rather effective at isolating ports in the same VLAN. Any ports, within a VLAN, marked as protected are prohibited from sending frames to each other, but are still allowed to send frames to non-protected ports (within the same VLAN). Typically, ports configured as protected are also configured not to block unknown unicast and multicast frames flooding for added security. An example of this configuration is as follows.

interface range FastEthernet 0/30 - 39
 switchport mode access
 switchport protected
 switchport block unicast
 switchport block multicast

Who writes this crap?

Tony Mattke is a network engineer for a financial institution in Indiana. In the past he has worked for ISPs, data centers, networking manufactures, and the occasional enterprise. For feedback, please leave a comment on the article in question. For everything else including fan mail or death threats, contact him via twitter.

Related posts:
  1. QinQ: IEEE 802.1Q Tunneling
  2. SVI Autostate

Tagged as: Catalyst, PVLAN, switching, vlan

{ 5 comments… read them below or add one }

@j2sw June 1, 2010 at 10:37 am

Does this work on all switches or certain types/IOS/etc.?

Reply

Tony June 1, 2010 at 11:02 am

3560, 3570 / ME, 4500, 6500 series, 7600…

The 3550 is shown to be supported on the Cisco Feature Navigator, but in my lab it is non functioning.. Might need a newer IOS on my 3550s… — Newer IOS removes the commands on the 3550.. not sure why its shown as working in the FN.

Reply

John June 2, 2010 at 12:13 pm

Just discovered your site, really outstanding! Keep up the good work.

Reply

Scott June 15, 2010 at 11:54 am

Great post! Too bad this doesn't work on the cat 3550… I don't have anything better to play with here in my home lab. Is there a way to emulate the switches ? I've heard of GNS / Dynamips but I've never tested it out.

Reply

Julie November 17, 2011 at 7:28 pm

Can you configure regular vlans and private vlans in the same switch? we have a 3560 and a 2911 router – the router has subinterfaces for 2 vlans on the switch, but I would like to make one of the vlans a private vlan. We are a satellite communications company and we are providing internet access for our customers – I don't want to waste ip addresses by subnetting, so I would like to use private vlans to isolate the ip traffic from each port. We have 1 customer with a class C block of their own, so they have a separate vlan with 2 ports on the switch and a subinterface on the router – the other customers will be using NAT and only need a link to the router. I currently have the uplink port configured as a trunk port – with private vlans, you need to configure it as a promiscuous port – can a port be both a trunk port and a promiscuous port?
Thanks,

Reply

Leave a Comment

Previous post:

Next post: