Private VLA Configuration

Overview

One of the topics that does not get that much attention, but is available on many different series of switches, is private VLANs. A private VLAN expands on the abilities of a standard VLAN, allowing traffic to be separated at another level allowing the design engineer a number of flexible options. This article provides a short review of what a VLAN is and what it provides. Then, we will review the concepts behind the private VLAN feature and how it can expand on the capabilities of the standard VLAN.

What is a VLAN?

The first thing to review is what VLAN means and what it provides. A Virtual Local Area Network, or VLAN, provides the ability to logically separate a LAN the same way that would be possible with multiple physical switches. For example, if an engineer had four different physical switches, each of the switches could be connected to separate departments within a company. Without an interconnection or a routing device, the devices within each department would not be able to send traffic to each other and would typically be put into different subnets. A VLAN takes this ability to separate devices, but does it logically instead of physically; a separate VLAN can be created for each department and the physical ports that connect these devices can be configured into the correct VLAN. It is important to keep in mind however that the same rules apply to VLANs as physical LANs; that is in order to communicate between them a routing device is required and separate subnets should be assigned to the devices in each VLAN.

Private VLANs: Extending the abilities of a VLAN

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

Why Use a Private VLAN?

The next question really is why would an engineer want to implement the private VLAN feature? This section goes over a few possibilities.

What if an Internet Service Provider (ISP) had a limited number of subnet space and wanted to maximize it by assigning all of the customers in a geographic area into the same IP subnet. Of course, most customers do not want other people seeing their layer 2 switched traffic, as it opens up potential security issues. Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN; their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

What if a company existed in the same geographic area and had multiple offices with multiple Internet connections? It is possible with community VLANs to connect all of these Internet connections together so that each would be able to talk directly to each other as well as go out and utilize the same Internet connection.

These are some very simple examples but they do show that the functionality of private VLANs can be useful to any design engineer looking for a solution to a specific set of design requirements.

Summary

The private VLAN feature can certainly be a useful tool in the belt of any engineer looking to solve a design problem with a certain set of requirements. It is important to take a look over all of the available options when designing or modifying a network to see if there is a better way of solving a problem that would work better under specific circumstances; the private VLAN feature certainly has some interesting traits that can be very useful to any engineer. Hopefully the content in this article has made the concept of private VLANs easier to understand.

Topology 

private vlan

Private VLAN two type ,Primary and Secondary

Secondary Private VLAN Divided into two ,Community and Isolated

Community VLAN  : Can Communicate within VLAN

Isolated VLAN :Unable to communicate inside VLAN

Configurations

Switch#config t

Switch(config)#VTP mode transperent

Switch(config)#Vlan 10

Switch(config)#private-vlan community

Switch(config)#exit

Switch(config)#vlan 20

Switch(config)#private-vlan isolated

Switch(config)#exit

Switch(config)#vlan 100

Switch(config)#privat-vlan primary

Switch(config)#private-vlan association 10,20

Switch(config)#exit

Switch(config)#interface range fa0/1-10

Switch(config)#switchport mode private-vlan host

Switch(config)#switchport private-vlan host-association 100 10

Switch(config)#exit

Switch(config)#interface range fa0/12-24

Switch(config)#switchport mode private-vlan host

Switch(config)#switchport private-vlan host-association 100 20

Switch(config)#exit

Switch(config)#interface fa0/11

Switch(config)#switchport mode private-vlan promiscus

Switch(config)#switchport private-vlan mapping 100 10,20

Switch(config)#exit

Switch(config)#end

Switch#wr

Verification

show vlan private-vlan

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s