You searched for: Private VLANs

Mar
01

Coming Soon: CCNP TSHOOT

15 Comments
Posted by Anthony Sequeira, #15626 in CCNP

Many students are getting excited for the new CCNP here at INE – and these students are not just those interested in pursuing their CCNP certification. The new TSHOOT course is certainly going to compliment our best-selling Advanced Troubleshooting Bootcamp for those students pursuing their CCIE R&S.

Here is the list of specific technologies this new course will aid us in troubleshooting:

  • EIGRP
  • OSPF
  • eBGP
  • Redistribution
  • DHCP Client and Server
  • NAT
  • HSRP/VRRP/GLBP
  • IPv6 Routing
  • IPv6 Transition Techniques
  • L2 Trunking
  • L2 STP
  • L2 DTP
  • Private VLANs
  • Port Security
  • Switch Security
  • VACLs/PACLs
  • L2 SVIs
  • Supervisor Redundancy
  • Switch Support of Wireless, VOIP, and Video
  • Router Security
  • ACLs
  • AAA
  • IOS Service Security
    Troubleshoot EIGRP
    Troubleshoot OSPF
    Troubleshoot eBGP
    Troubleshoot routing redistribution solution
    Troubleshoot a DHCP client and server solution
    Troubleshoot NAT
    Troubleshoot first hop redundancy protocols
    Troubleshoot IPv6 routing
    Troubleshoot IPv6 and IPv4 interoperability
    Troubleshoot switch-to-switch connectivity for the VLAN based solution
    Troubleshoot loop prevention for the VLAN based solution
    Troubleshoot Access Ports for the VLAN based solution
    Troubleshoot private VLANS
    Troubleshoot port security
    Troubleshoot general switch security
    Troubleshoot VACL and PACL
    Troubleshoot switch virtual interfaces (SVIs)
    Troubleshoot switch supervisor redundancy
    Troubleshoot switch support of advanced services (i.e., Wireless, VOIP and Video)
    Troubleshoot a VoIP support solution
    Troubleshoot a video support solution
    Troubleshoot Layer 3 Security
    Troubleshoot issues related to ACLs used to secure access to Cisco routers
    Troubleshoot configuration issues related to accessing the AAA server for authentication purposes
    Troubleshoot security issues related to IOS services (i.e.,finger, NTP, HTTP, FTP, RCP etc.)

Tags: , ,

Feb
22

Understanding MSTP

34 Comments
Posted by Petr Lapukhov, CCIE #16379 in Switching

Introduction

Over time I was thinking of putting together the two blog posts made in the past about MSTP and adding more clarification for MSTP multi-region section. This new blog post recaps the information posted previously and provides more details this time. Additionally, it discusses some MSTP design-related questions. Both single-region and multiple-region MSTP configurations are reviewed in the post. The reader is assumed to have good understanding of classic STP and RSTP protocols as well as Cisco’s PVST/PVST+ implementations.

Table of Contents

Due to the large size of the document, a table of contents is provided for the ease of navigation.

Historical Review
Logical and Physical Topologies
Implementing MSTP
Caveats in MSTP Design
MSTP Single-Region Configuration Example
Common and Internal Spanning Tree (CIST)
Common Spanning Tree (CST)
Mapping MSTI’s to CIST
MSTP Multi Region Design Considerations
Interoperating with PVST+
Scenario 1: CIST Root and CIST Regional Root
Scenario 2: MSTIs and the Master Port
Scenario 3: PVST+ and MSTP Interoperation
Conclusions
Further Reading

Continue Reading

Tags: , , , ,

Feb
02

Introducing the Interactive Video Companion Series

17 Comments
Posted by Anthony Sequeira, #15626 in CCIE R&S

The Interactive Video Companion series for the Volume 2 R&S workbook provides detailed, self-paced, interactive videos detailing every aspect of the lab technologies and strategies.

To provide an idea of the scope of this new product, check out the partial Lab 1 outline below!

A. Lab Do’s and Don’ts

1. Introduction

2. Version 4 Challenge – Strategy

B. Lab Strategy

1. Core versus Non-Core

2. Reading Ahead and Diagramming

3. Additional Study Resources

C. Layer 2 Traffic Engineering

1. Diagramming

2. Version 4 Challenge – Core Knowledge

3. Version 4 Challenge – Core Knowledge II

4. Version 4 Challenge – Troubleshooting

5. Version 4 Command Recall Tool

6. Additional Study Resources

Continue Reading

Tags: , , ,

Nov
13

CCNP Workbook Updates!

10 Comments
Posted by Brian McGahan, CCIE #8593 in CCNP

The CCNP Workbook accompanying the CCNP Bootcamp Class-on-Demand has been updated. Current customers can access the new updates by visiting the IE Member’s Site. The workbook now includes the following topics:

Continue Reading

Tags: , , , ,

Oct
07

CCNP Lab Workbook Now Available!

15 Comments
Posted by Brian McGahan, CCIE #8593 in CCNP

The first beta release of our CCNP Lab Workbook is now posted for all customers of the CCNP Bootcamp Class-on-Demand.  A sample of it can be viewed here. Current customers can find the workbook on the CCNP Bootcamp Class-on-Demand page of the INE Members Site.

Continue Reading

Tags: , , , , , , , ,

Jul
18

Blog Post Catalogue

4 Comments
Posted by Petr Lapukhov, CCIE #16379 in CCIE General

Hi Everyone,

I would like to apologize for not posting enough technical blog posts recently; apparently development is taking too much spare time from me. Before I finally make a new technical-focused post, I thought of summarizing the stuff that I have written so far, and making a small catalogue of my blog posts. The catalogue covers the most interesting (IMO) posts that are probably worth reading and is broken down in categories. I hope you will find it useful.

QoS

Undestanding Custom Queueing
Catalyst 3550 QoS Explained
Quick Notes on 3560 Egress Queueing
Bridging the gap between 3550 and 3560 QoS: Part 1
Bridging the gap between 3550 and 3560 QoS: Part 2
Traffic Classification Options in 3550/3560 switches
PPP Multilink Interleaving over Frame-Relay
Comparing Traffic Policing Features in 3550 and 3560 series swtiches
Understanding Shape Peak Command
Insights on CBWFQ

Continue Reading

Tags: , , , ,

May
12

CCIE R/S 4.X Expanded Study Blueprint

124 Comments
Posted by Anthony Sequeira, #15626 in CCIE 4.0, CCIE General, CCIE R&S, Cisco Certification General

Welcome to the 4.X Expanded Study Blueprint – it is a constant work in progress – feel free to comment!

LAST UPDATED: 12:34 PM EST USA; June 29; Added legacy QoS

1.00    Implement Layer 2 Technologies

1.10    Implement Spanning Tree Protocol (STP)

(a) 802.1d

(b) 802.1w

(c) 802.1s

(d) Loop guard

(e) Root guard

(f) Bridge protocol data unit (BPDU) guard

(g) Storm control

(h) Unicast flooding

(i) Port roles, failure propagation, and loop guard operation

(j) STP manipulation through timers

(k) PortFast, UplinkFast, BackboneFast

(l) BPDUFilter

(m) Root Bridge Placement

(n) STP Port Cost and Port Priority

(o) UDLD

1.20    Implement VLAN, Network Management and VLAN Trunking Protocol (VTP)

(a) No VTP (TRANS)

(b) Pruning

(c) Bridging – Transparent, IRB, CRB

(d) VTP Authentication

(e) VTP Versions

(f) Regular Macros

(g) Smart Macros

(h) SNMP

(i) Telnet and Telnet Controls

(j) SSH

(k) Banners

(l) Switch Virtual Interfaces (SVIs)

(m) 3560s and VoIP Phone Support

1.30    Implement trunk and trunk protocols, EtherChannel, and load-balance

Continue Reading

Tags: , , , , ,

Mar
21

INE Security v3.0 Hardware List

13 Comments
Posted by Petr Lapukhov, CCIE #16379 in CCIE 4.0, CCIE Security

Hi, Everyone!

We are in the progress of upgrading our CCIE Security racks with the new software and hardware. Here are the specs that you can use to build your own rack. The rack consists of six routers, two switches, two ASA firewall appliances and one IPS sensor. The hardware models and their specs are outlined below:

R1-R5: 2611XM 32/128, IOS 12.4(15)T ADVANCED SECURITY
R6: 2811 64/256, IOS 12.4(24)T ADVANCED ENTERPRISE SERVICES
SW1-SW2: CAT3550, IOS 12.2(50)SEE
IPS: Cisco IPS 4235 or 4240, SW version 6.0(3)E1
ASA1-ASA2: Cisco ASA 5510, SW version 8.0
AAA/CA Server: Win 2k running CS ACS 4.0 and IPS Manager Express.
Test PC: Win XP workstation with ezVPN Client Installed.

You can find a more detailed topology description at IE’s Security Hardware List

All the hardware cabling remains the same and the backbone routers did not change. If you compare this to our current hardware blueprint, you will see that only R6 needs to be replaced with an ISR router. Optionally, instead of 2811 you can use another ISR such as 1841 64/192 for R6. If you are using the Dynamips emulator for you virtual CCIE rack, you can use 3725 model for SSL VPN, for instance. Simply put, you just need any router that supports SSL VPN and other ADVANCED ENTERPRISE features. As for the GET VPN feature – even though Cisco FN does not list it as being supported by 2611XM routers, it is still present in the ADV. SECURITY feature set. Surprisingly enough, ADVANCED ENTERPRISE SERVICES image for 2611XM does not support the feature :)

Now for the IPS appliance: the latest software version for the IPS is 6.2 and it does not support older 4235 or 4215 IPS sensors (nor does version 6.1). Instead the blueprint suggests using the newer 4240 model. However, if you look at the release notes for IPS SW 6.2 and 6.1 you will note the following tow major new features:

a) IPS management via IPS Manager Express
b) IPv6 support

Other updates are minor, including some cosmetic changes such as health monitoring, customizable dashboards, uauthenticated NTP etc. Of course, you can still configure the IPS using IDM (IPS Device Manager) or the CLI and use IMX for appliance monitoring. As for IPv6, it is not the part of the current blueprint; plus the blueprint specifies IPS version 6.1 which does not support IPv6. Therefore, until they announced IPv6 as being testing in the CCIE Security blueprint, you may freely hang with the older IPS models and save on buying the more expensive 4240. Even better, the older 4215 appliance could be emulated on VMware! Note, that you will see the older 4235 models for some more time in our racks, but they are going to be gradually replaced with the newer 4240 models. The labs will still rely on the 6.0 code.

As for the switches – right now we use the 3550s in the racks, but those will be gradually replaced with 3560s. The CCIE hardware blueprint states the use of 3560 and 3750 switches in the lab. If you compare the 3560 model against 3550, you will see the following major differences: different QoS features, IPv6 support in the 3560 and no Private VLANs in the 3550 (even though the FN states they are supported there, sigh). Everything else is virtually the same. While QoS and IPv6 are not very important from the standpoint of the Security exam, Private VLANs are. However, if you look at the CCIE lab exam blueprint, you will see that Private VLANs are not listed there. Based on that, you can stick with the 3550s switches for 99% of the Security features tested in the CCIE lab.

Also, until April 20th you will see the PIX and the VPN3k appliances in our racks. So even if you are still pursuing the old-blueprint exam, you can use the rental racks, as most features are upwards compatible with the updated software. And get ready for the upcoming initial update of our IEWB-SC VOL1 next week – 50+ technology-focused scenarios for the ASA firewall appliance.

Good luck with your studies!

Tags: , , , , ,

Nov
29

R/S 3.0 Expanded Study Blueprint

39 Comments
Posted by Anthony Sequeira, #15626 in CCIE R&S

I expanded upon the awesome CCIE Lab Technology Outline found in the Resources section or our main Web Site. I am looking to add features to this list soon, and of course, please post any changes you feel I should make in our comments section. I plan on fixing the formatting as I add new features. Enjoy your studies.

I. Bridging and Switching

A. Frame Relay

I. L2/L3 Resolution – static vs dynamic
II. Broadcast/Multicast Support
III. LMI
IV. Full Mesh/Partial Mesh
V. Hub and Spoke using Point-to-Point
VI. Hub and Spoke using Multipoint
VII. SVC
VIII. PPP over Frame
IX. End to End Keepalives
X. Broadcast Queue
XI. Load Interval
XII. PING local interface
XIII. Multilink Frame Relay

B. PPP/HDLC Continue Reading

Tags: , , , ,

Jul
14

Private VLANs Revisited

49 Comments
Posted by Petr Lapukhov, CCIE #16379 in Advanced Security, Security, Switching

Due to the non-decreasing interest to the post about Private VLANs, I decided to make another one, more detailed – including a diagram and verification techniques.

Introduction

To begin with, recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast “subdomains”, introducing sub-VLANs inside a VLAN. As we know, Ethernet VLANs can not communicate directly with each other – they require a L3 device to forward packets between separate broadcast domains. The same restriction applies to PVLANS – since the subdomains are isolated at Level 2, they need to communicate using an upper level (L3/packet forwarding) device – such as router.

In reality, different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.

Private VLANs Terminology

The following is the reference diagram that we are going to use to illustrate Private VLAN concepts and functionality.

Private VLANs

For our sample configuration, we take VLAN 1000 and divide it into three PVLANs – sub-VLAN 1012 (R1 and R2), sub-VLAN 1034 (R3 and R4) and sub-VLAN 1055 (router R5 only). Router R6 will be used as layer 3 device, to resolve the layer 3 communication issue. We name VLAN 1000 as “Primary” and classify the ports, assigned to this VLAN, based on their types:

  • Promiscuous (“P”) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on the VLAN.
  • Isolated (“I”) port: This type of port is only allowed to communicate with “P”-ports – i.e., they are “stub” port. You commonly see these ports connecting to hosts.
  • Community (“C”) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to “P”-ports.

In order to implement sub-VLAN behavior, we need to define how packets are forwarded between different types of ports. We group the VLANs in “Primary” and “Secondary”.

  • Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from “P”-ports to all other port types (“I” and “C” ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from “P” to “I” and “C”).
  • Secondary Isolated VLAN: forwards frames from “I” ports to “P” ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port.
  • Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN.

How Private VLANs Work

Here are the key aspects of Private VLAN functioning:

  • The Primary VLAN delivers frames downstream from the router (promisc port) to all mapped hosts.
  • The Isolated VLAN transports frames from the stub hosts upstream to the router
  • The Community VLANs allow bi-directional frame exchange withing a single group, in addition to forwarding frames upstream towards “P”-ports.
  • Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs.

Private VLANs could be trunked. The secondary VLAN numbers are used to tag frames, just as with regular VLANs, and the primary VLAN traffic is trunked as well. However, you need to configure Private VLAN specific settings (bindings, mappings) on every participating swtich, as it’s not possible to use VTPv2 to dissiminate that information . This due to the fact that VTPv2 has no TLVs to carry private VLANs information. VTPv3 was designed to overcome this limitation among others.

Configuring Private VLANs

We have primary VLAN 1000, Isolated VLAN 1005 (R5) Community VLAN 1012 (R1, R2) and Community VLAN 1034 (R3, R4).

Step 1:

First, disable VTP, i.e. enable VTP transparent mode. After disabling VTP, create Primary and Secondary VLANs and bind them into PVLAN domain:

SW1:
vtp mode transparent
!
! Creating primary VLAN, which is shared among secondary’s
!
vlan 1000
  private-vlan primary

!
! Community VLAN for R1 and R2: allows a “subVLAN” within a Primary VLAN
!
vlan 1012
  private-vlan community
!
! Community VLAN for R3 and R4
!
vlan 1034
  private-vlan community

!
! Isolated VLAN: Connects all stub hosts to router.
! Remember - only one isolated vlan per primary VLAN.
! In our case, isolates R5 only.
!
vlan 1055
  private-vlan isolated

!
!  Associating the primary with secondary’s
!
vlan 1000
 private-vlan association 1012,1034,1055

This step is needed is to group PVLANs into a shared domain and establish a formal association (for syntax checking and VLAN type verifications). Repeat the same operations on SW2, since VTP has been disabled.

Step 2:

Configure host ports and bind them to the respective isolated PVLANs. Note that a host port belongs to different VLANs at the same time: downstream primary and upstream secondary. Also, enable trunking between switches, to allow private VLANs traffic to pass between switches.

SW1:
!
! Community port (links R1 to R2 and “P”-ports)
!
interface FastEthernet0/1
 description == R1
 switchport private-vlan host-association 1000 1012
 switchport mode private-vlan host
 spanning-tree portfast

!
! Community port (links R3 to R4 and “P”-ports)
!
interface FastEthernet0/3
 description == R3
 switchport private-vlan host-association 1000 1034
 switchport mode private-vlan host
 spanning-tree portfast

!
! Isolated port (uses isolated VLAN to talk to “P”-ports)
!
interface FastEthernet0/5
 description == R5
 switchport private-vlan host-association 1000 1055
 switchport mode private-vlan host
 spanning-tree portfast

!
! Trunk port
!
interface FastEthernet 0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk

SW2:
interface FastEthernet0/2
 description == R2
 switchport private-vlan host-association 1000 1012
 switchport mode private-vlan host
 spanning-tree portfast
!
interface FastEthernet0/4
 description == R4
 switchport private-vlan host-association 1000 1034
 switchport mode private-vlan host
 spanning-tree portfast

!
! Trunk port
!
interface FastEthernet 0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk

Next, Verify the configuration on SW1:

Rack1SW1#show vlan id 1012

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1012 VLAN1012                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1012 enet  101012     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1012      community         Fa0/1

Rack1SW1#show vlan id 1034

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1034 VLAN1034                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1034 enet  101034     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1034      community         Fa0/3

Rack1SW1#show vlan id 1055

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1055 VLAN1055                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1055 enet  101055     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1055      isolated          Fa0/5

Rack1SW1#show interfaces fastEthernet 0/13 trunk 

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,1000,1012,1034,1055

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1,1000,1012,1034,1055

Verify on SW2:

Rack1SW2#show vlan id 1000

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1000 VLAN1000                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1000 enet  101000     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1012      community         Fa0/2, Fa0/6
1000    1034      community         Fa0/4, Fa0/6
1000    1055      isolated          Fa0/6

Rack1SW2#show vlan id 1012

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1012 VLAN1012                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1012 enet  101012     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1012      community         Fa0/2, Fa0/6

Rack1SW2#show vlan id 1034

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1034 VLAN1034                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1034 enet  101034     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1034      community         Fa0/4, Fa0/6

Rack1SW2#show vlan id 1055

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1055 VLAN1055                         active    Fa0/13

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1055 enet  101055     1500  -      -      -        -    -        0      0   

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
1000    1055      isolated          Fa0/6

Rack1SW2#show interface fastEthernet 0/13 trunk 

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      desirable    802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,1000,1012,1034,1055

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1,1000,1012,1034,1055

Step 3:

Create a promiscuous port and configure downstream mappings. Here we add secondary VLANs for which traffic is received by this particular “P”-port. Primary VLAN is used to send traffic downstream to all “C” and “I” ports per their associations.

SW2:
!
! Promiscuous port, mapped to all secondary VLANs
!
interface FastEthernet0/6
 description == R6
 switchport private-vlan mapping 1000 1012,1034,1055
 switchport mode private-vlan promiscuous
 spanning-tree portfast

Verify the promiscuous port configuration:

Rack1SW2#show int fa 0/6 switch | beg private
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan:
  1000 (VLAN1000) 1012 (VLAN1012) 1034 (VLAN1034) 1055 (VLAN1055)

If you need to configure an SVI on a switch to communicate with private VLAN members, you should add an interface corresponding to Primary VLAN only. Obviously that’s because all secondary VLANs are “subordinates” of primary. After an SVI has been created, you have to map the required secondary VLANs to the SVI (just like with a promiscuous port) in order to make communications possible. You may exclude some mappings from SVI interface, and limit it to communicating only with certain secondary VLANs.

SW1:
!
! SW1 SVI is mapped to all secondary VLANs
!
interface Vlan 1000
 ip address 10.0.0.7 255.255.255.0
 private-vlan mapping 1012,1034,1055

SW2:
!
! SW2 SVI is mapped to 1012/1034 only, so it’s cant communicate with R5
!
interface Vlan1000
 ip address 10.0.0.8 255.255.255.0
 private-vlan mapping 1012,1034

Now to verify the configuration, configure R1-R6 interfaces in subnet “10.0.0.0/24” and ping broadcast addresses.

Rack1R1#ping 10.0.0.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:

Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.2, 4 ms
Reply to request 0 from 10.0.0.6, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms

Rack1R3#ping 10.0.0.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:

Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.4, 4 ms
Reply to request 0 from 10.0.0.6, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms

Rack1R5#ping 10.0.0.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:

Reply to request 0 from 10.0.0.7, 1 ms
Reply to request 0 from 10.0.0.6, 1 ms

Rack1R6#ping 10.0.0.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.255, timeout is 2 seconds:

Reply to request 0 from 10.0.0.1, 4 ms
Reply to request 0 from 10.0.0.7, 4 ms
Reply to request 0 from 10.0.0.2, 4 ms
Reply to request 0 from 10.0.0.5, 4 ms
Reply to request 0 from 10.0.0.3, 4 ms
Reply to request 0 from 10.0.0.4, 4 ms
Reply to request 0 from 10.0.0.8, 4 ms

Lastly, there is another feature, called protected port or “Private VLAN edge”. The feature is pretty basic and is available even on low-end Cisco switches. It allows isolating ports in the same VLAN. Specifically, all ports in a VLAN, marked as protected are prohibited from sending frames to each other (but still allowed to send frames to other (non-protected) ports within the same VLAN). Usually, ports configured as protected are also configured not to receive unknown unicast (frame with destination MAC address not in switch’s MAC table) and multicast frames flooding for added security.

Example:

interface range FastEthernet 0/1 - 2
 switchport mode access
 switchport protected
 switchport block unicast
 switchport block multicast

Tags: , , , , , , , ,

Older Entries

Categories

Current Poll

Multicast...

View Results

Loading ... Loading ...

CCIE Bloggers