Options
PVLAN Question
I have a question for anyone who knows and understand pvlans.
In my company, I have been tasked with creating a pvlan in an existing network with multiple 802.1q VLANs. I have done a lot of reading, but nothing answers this one question:
I need to be able to create a pvlan community so that this one vlan is isolated from the rest of the VLANs. The main focus is that I need to ensure I do not disrupt communications on the rest of the network. So how would I go about creating this pvlan if I have a setup similar to the following without disrupting network communications:
Catalyst 4006 series Switche
CatOS (don't recall which version)
Existing VLANs:
16, 17, 18, 21 <-- All can communicate with each other
Trunk is on port 1/2
Need to add pvlan 24 <-- No communication with other VLANs, only the DG and other computers in the same vlan.
What I think I need to do is to create a primary VLAN, lets say 50. Create pvlan 24 as a community pvlan, Associate PVLAN 24 to vlan 50 and add port 1/2 to pvlan 50 as a promiscious port. Does this sound right, or am I missing something?
In my company, I have been tasked with creating a pvlan in an existing network with multiple 802.1q VLANs. I have done a lot of reading, but nothing answers this one question:
I need to be able to create a pvlan community so that this one vlan is isolated from the rest of the VLANs. The main focus is that I need to ensure I do not disrupt communications on the rest of the network. So how would I go about creating this pvlan if I have a setup similar to the following without disrupting network communications:
Catalyst 4006 series Switche
CatOS (don't recall which version)
Existing VLANs:
16, 17, 18, 21 <-- All can communicate with each other
Trunk is on port 1/2
Need to add pvlan 24 <-- No communication with other VLANs, only the DG and other computers in the same vlan.
What I think I need to do is to create a primary VLAN, lets say 50. Create pvlan 24 as a community pvlan, Associate PVLAN 24 to vlan 50 and add port 1/2 to pvlan 50 as a promiscious port. Does this sound right, or am I missing something?
Comments
-
Options
mikearama
Member Posts: 749
Your solution is exactly right...
A sub-vlan (24) that is private (community):
Switch(config)#vlan 24
Switch(config-vlan)#private-vlan community
A primary vlan (50). Associate the private vlan to it.
Switch(config)#vlan 50
Switch(config-vlan)#private-vlan association 24
Then assign a promiscuous port... the one leading to your router:
Switch(config)#int f0/12
Switch(config-if)#switchport mode private-vlan 24 promiscuous
All other ports belonging to the private vlan get the same command... just "host" at the end instead of promiscuous.
Hey, I learned something neat from the Bryant BCMSN kit... private vlans require Transparent mode. So if you're running VTP, you've got to switch it to Transparent to use private vlans.
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Options
tech-airman
Member Posts: 953
cr33p wrote:I have a question for anyone who knows and understand pvlans.
In my company, I have been tasked with creating a pvlan in an existing network with multiple 802.1q VLANs. I have done a lot of reading, but nothing answers this one question:
I need to be able to create a pvlan community so that this one vlan is isolated from the rest of the VLANs. The main focus is that I need to ensure I do not disrupt communications on the rest of the network. So how would I go about creating this pvlan if I have a setup similar to the following without disrupting network communications:
Catalyst 4006 series Switche
CatOS (don't recall which version)
Existing VLANs:
16, 17, 18, 21 <-- All can communicate with each other
Trunk is on port 1/2
Need to add pvlan 24 <-- No communication with other VLANs, only the DG and other computers in the same vlan.
What I think I need to do is to create a primary VLAN, lets say 50. Create pvlan 24 as a community pvlan, Associate PVLAN 24 to vlan 50 and add port 1/2 to pvlan 50 as a promiscious port. Does this sound right, or am I missing something?
cr33p,
Find out which CatOS version you have and post back. -
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN. You are trying to prevent one VLAN from communicating with another VLAN at a L3 device which is a case for access-lists or VLAN maps. If you create VLAN 24 as a private VLAN (community or otherwise) and the trunk as community,all the hosts can communicate with the router (or other L3 device) then the L3 device will route the packets.The only easy day was yesterday! -
Optionsmikearama
Member Posts: 749
Interesting comment, dt... I may have misunderstood the definition/application of a community private vlan then.
I understood that they inherently (when community) allowed connectivity to hosts in the same vlan, but not to anyone outside of their vlan (except the promiscuous port).
You are correct that an acl on the router could do the same.
You mentioned that:
"I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN."
That is the definition, I believe, of an isolated private-vlan. A community private-vlan should do what cr33p needs, don't ya think?There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
The community PVLAN will still allow all the hosts to communicate with the promisciuos port (the router) which will then just route the packets onto the other VLANs defeating the intended goal.The only easy day was yesterday!
-
Optionscr33p
Member Posts: 4 ■□□□□□□□□□
dtlokee wrote:I don't think this is an application of private VLANs which are used to prevent hosts on the same VLAN from communicating with other hosts on the same VLAN. You are trying to prevent one VLAN from communicating with another VLAN at a L3 device which is a case for access-lists or VLAN maps. If you create VLAN 24 as a private VLAN (community or otherwise) and the trunk as community,all the hosts can communicate with the router (or other L3 device) then the L3 device will route the packets.
Very good point... I didn't think of this. I was under the assumption that being private would prevent it from communicating with the other vlans. I didn't take the L3 aspect of it into account. I wish I had hardware to do a test network, but alas, I am too poor to afford all that...
If this should have an ACL, then what should it block? Now I think it gets tricky because of the way our network is set up. Let me explain:
VLANs 16 and 17 both connect to the same Cisco router (router on a stick).
VLANs 18 and 21 connect to an L3 Procurve switch for routing (basically router on a stick again).
VLAN 24, the one I need isolated, routes via the L3 Procurve switch.
The router before the firewall that goes to the internet is x.x.16.1. How would I prevent communication from VLAN 24 to the rest of the x.x.16.x network, as well as the other VLANs, and still be able to get to the internet (x.x.16.1)? This is a logical overview:x.x.16.1 x.x.21.1 (access switchs) (x.x.17.1) x.x.18.1 (VLAN's 16,17,18,21,24) x.x.24.1 FW <---- R ----------- L3SW ---------- SW--SW--SW -
Options
networker050184
Mod Posts: 11,962 Mod
I think a VLAN maps are your best bet in this situation. You can keep all other traffic off VLAN 24 and keep VLAN 24 traffic off your other VLANs also.An expert is a man who has made all the mistakes which can be made.
