Private vlans (RFC 5517) is one such technology that is very helpful in case where one server needs to see all the clients, but clients should not see each other. Typical scenarios where this can be used is a backup network (one NAS or backup server and many clients) or OOB monitoring&control network (one NMS or AAA server/station and many network or server elements). There might be some fringe scenarios of filtered networks that need to use a common resource (a gateway/licence server/..), but these are not as common as previous cases.
To state some basics about private vlans, there are 3 types of vlans:
- Primary vlan, containing ports that can talk to any other ports (promiscuous, isolated or community ports)
- Isolated vlan, containing ports that can only talk to promiscuous ports
- Community vlan, containing ports that can speak to promiscuous ports, but also to the ports in the same community vlan.
For better explanation how private vlans work, it's better to visit the RFC document linked above or one of the referenced sites at the end of this blog entry.
Configuration
The configuration steps are listed in the appropriate order, as in several cases it is necessary to shut down existing interfaces in order to put in the private vlan configuration when configuring it in different order than usual.
Enabling the feature
Luckily this feature doesn't require licence, so it can be just enabled:
feature private-vlanTo allow propagation of private vlans to other switches, other features are required (although they should be enabled already to have that functionality):
feature fex trunkVLANs definition
Let's create a primary vlan with ID number 100 and associate it with secondary vlans:
Vlan 100
private-vlan primaryNext let's create a community vlan 101:
Vlan 101
private-vlan community
And vlan 102 as isolated vlan:
vlan 102
private-vlan isolated
To verify that vlans exist the following output should be observed:
# sh vlan private-vlanPrimary Secondary Type Ports
------- --------- --------------- -------------------------------------------
100 primary
101 isolated
102 community
Now with vlans existing we can associate it with the primary vlan:Vlan 100
private-vlan associate 101,102
So for verification this is what the show command should show:
# sh vlan private-vlan
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
100 101 isolated
100 102 community
Note: the vlan configuration is applied and shown correctly only after exiting the vlan configuration area.
Promiscuous port
With all vlans defined, we can proceed with configuration of appropriate ports.int gigabitethernet 1/1Switchport mode private-vlan promiscuousSwitchport private-vlan host-association 100 101-102The association specifies the primary vlan first and then the list of secondary vlans that correspond to it.
Also it is recommended to use bpdu guard, as in today's world of virtualized switches on hosts, one never knows what might show up on ingress..
In order to verify the result the following would show up:
# sh vlan private-vlan
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
100 101 isolated Eth1/1
100 102 community
NOTE: Promiscuous ports can only be configured on Nexus 5k physically, it doesn't work on ports on fabric extenders (Nexus 2k).
Isolated port
Configuration of isolated port is a very similar to promiscuous port:
int gigabitethernet 1/2Switchport mode private-vlan hostSwitchport private-vlan host-association 100 102Association specifies only one secondary vlan, which corresponds to the isolated vlan that the port should be in.
In order to verify the result the following would show up:
# sh vlan private-vlan
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
100 101 isolated Eth1/1,Eth1/2
100 102 community
Community port
int gigabitethernet 1/3
Switchport mode private-vlan host
Switchport private-vlan host-association 100 101
In order to verify the result the following would show up:
# sh vlan private-vlan
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
100 101 isolated Eth1/1,Eth1/2
100 102 community Eth1/3
Trunk port configurations
For standard transit trunks, the VLANs look just like 2 separate VLANs, as the magic happens only on the end-points.
There are other trunk port types, which are used when trunking with non-"PVLAN aware" devices. Main point is that the frame forwarding which happens on secondary vlan has to be also sent to primary vlan and vice versa. This happens by re-writing the VLAN tags depending on the pairing of the interface.
There is a article on Cisco support forum describing the special cases where this could be used.
There is a article on Cisco support forum describing the special cases where this could be used.
Promiscuous trunk
Beginning with Cisco NX-OS Release 5.0(2), on the Cisco Nexus Series devices, you can
configure a promiscuous trunk port to carry traffic for multiple primary
VLANs. You map the private VLAN primary VLAN and either all or selected
associated VLANs to the promiscuous trunk port. Each primary VLAN and
one associated and secondary VLAN is a private VLAN pair, and you can
configure a maximum of 16 private VLAN pairs on each promiscuous trunk
port.
Beginning with Cisco NX-OS Release 5.0(2) on the Cisco Nexus Series devices, you can configure an isolated trunk port to carry traffic for multiple isolated VLANs. Each secondary VLAN on an isolated trunk port must be associated with a different primary VLAN. You cannot put two secondary VLANs that are associated with the same primary VLAN on an isolated trunk port. Each primary VLAN and one associated secondary VLAN is a private VLAN pair, and you can configure a maximum of 16 private VLAN pairs on each isolated trunk port.
NOTE2: Portchannel interfaces can't be used for private VLANs.
