Wednesday, April 11, 2012

Private VLANs


I want to simulate an environment where two customers - Customer A and Customer B - are supported by a service provider with private VLANs. In this scenario Customer A has two routers; R3 and R5, Customer B has a single router; R4, and the provider is offering Internet access with R1 and monitoring services to the Customers' loopback addresses with R2.



In this scenario, all Router FastEthernet interfaces are in "Primary" VLAN 20 with addressing in the 10.20.1.0/24 space. With private VLANs, the provider can conserve VLANs by not assigning each customer their own VLAN ID. With this configuration I will allow both Customers access to the services they need, but also ensure that they do not gain access to each other.

Here's a baseline before I begin configuring the Private VLANs.

Switches:

Both switches have had their VTP domain names set to cisco, and have had their VTP modes set to transparent. Fa0/13 on both switches will serve as the trunk port. Currently, only VLAN 1 is configured.

Routers:

All routers have had their Fa0/0 interfaces configured with the IP and mask of 10.20.1.X/24, where X = the router number.

With a PINGSCRIPT, I'll test connectivity from R3 to all devices.



R3#tclsh
R3(tcl)#proc PINGSCRIPT [] {
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.1
+>(tcl)#10.20.1.2
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.4
+>(tcl)#10.20.1.5
+>(tcl)#} {
+>(tcl)#                set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)#if { [regexp "!!!"  $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }     
+>(tcl)#                }
+>(tcl)#  }


R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK


R3(tcl)#

Connectivity appears to be successful.

Note: there are 3 port types, or roles, that are used in Private VLANs. There are Promiscuous ports, which talk to all ports, there are Isolated ports, which can only talk to Promiscuous ports, and there are Community ports, which can talk to other Community ports in the same community, as well as promiscuous ports.

In this scenario, R1 and R2's Fa0/0s are operating as Promiscuous ports, R3 and R5's Fa0/0s are operating as mutual Community Ports, and R4's Fa0/0 is operating as an Isolated port. After a successful Private VLAN configuration, I should be able to see that R3 and R5 can communicate within their own Community, as well as with the Promiscuous ports, but will not be able to speak to R4's Isolated port.

Starting with SW1, I'll configure primary and secondary VLANs, and associate the secondaries to the primary:

Sw1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Sw1(config)#vlan 21
Sw1(config-vlan)#name PVLAN_Community
Sw1(config-vlan)#private-vlan ?
  association       Configure association between private VLANs
  community         Configure the VLAN as a community private VLAN
  isolated          Configure the VLAN as an isolated private VLAN
  primary           Configure the VLAN as a primary private VLAN
  twoway-community  Configure the VLAN as a two way community private VLAN
Sw1(config-vlan)#private-vlan community
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 22
Sw1(config-vlan)#name PVLAN_Isolated
Sw1(config-vlan)#private-vlan isolated
Sw1(config-vlan)#
Sw1(config-vlan)#vlan 20
Sw1(config-vlan)#name PVLAN_Primary
Sw1(config-vlan)#private-vlan primary
Sw1(config-vlan)#private-vlan association 21,22
Sw1(config-vlan)#exit
SW1(config)#do sh vlan b


VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
20   PVLAN_Primary                    active    
21   PVLAN_Community                  active    
22   PVLAN_Isolated                   active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 
SW1(config)#

Next, I'll configure the individual port modes and map the private VLANs to the correct ports for R1, R3 and R5's switchports on SW1.


SW1(config)#int fa0/1
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 20 21,22
SW1(config-if)#
SW1(config-if)#int fa0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#
SW1(config-if)#int fa0/5
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 20 21
SW1(config-if)#


I'll test connectivity from R1 to R3 and R5. I should not be able to connect to R4.



R1(tcl)#
R1(tcl)#proc PINGSCRIPT [] {
+>(tcl)#
+>(tcl)#foreach IP {
+>(tcl)#10.20.1.3
+>(tcl)#10.20.1.5
+>(tcl)#10.20.1.4
+>(tcl)#} { set RESULT [exec "ping $IP repeat 3 timeout 1"];
+>(tcl)#        $p "!!!"  $RESULT]} { puts "$IP OK"} else { puts "$IP Unreachable" }         
+>(tcl)#}
+>(tcl)# }


R1(tcl)#PINGSCRIPT
10.20.1.3 OK
10.20.1.5 OK
10.20.1.4 Unreachable


Now I'll configure primary and secondary VLANs, and associate the secondaries to the primary for SW2. I'll follow it up with configuring the individual port modes and map the private VLANs to the correct ports for R2 and R4's switchports.


SW2(config)#vlan 21
SW2(config-vlan)#name PVLAN_Community
SW2(config-vlan)#private-vlan community
SW2(config-vlan)# 
SW2(config-vlan)#vlan 22
SW2(config-vlan)#name PVLAN_Isolated
SW2(config-vlan)#private-vlan isolated 
SW2(config-vlan)#vlan 20
SW2(config-vlan)#name PVLAN_Primary
SW2(config-vlan)#private-vlan association 21,22
SW2(config-vlan)#exit
SW2(config)#
SW2(config)#int fa0/4
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#
SW2(config-if)#switchport private-vlan host-association 20 22
SW2(config-if)#end
SW2#


At this point, I should have connectivity from R2 to all other router's FastEthernet ports, but R4 should only have access to R1 and R2's FastEthernet ports.

R1:

R1(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK

R3:

R3(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK


R5:

R5(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 Unreachable
10.20.1.5 OK


R2:

R2(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 OK
10.20.1.4 OK
10.20.1.5 OK


R4:

R4(tcl)#PINGSCRIPT
10.20.1.1 OK
10.20.1.2 OK
10.20.1.3 Unreachable
10.20.1.4 OK
10.20.1.5 Unreachable

Looks good!

No comments:

Post a Comment