Sunday, July 12, 2009

Private Vlans

Hi all, I've started to read the Wendell Odom's book "CCIE R&S Exam Certification Guide" and I was a little surprised that Private Vlans on chapter 2 are only explained in theory, without configuration examples.
Maybe that topic is not so relevant for R&S exam... but enough to stimulate my brain to do a lab ;-)

Well, I've started reading the "Configuring Private Vlans" guide for 3750s, but configuration still the same on other platforms...

So here's the lab topology, I've used routers R2 - 6 as hosts, with R2 and R3 in the same community, R4 and R5 as isolated, and R6 as promiscuous. SW1 act as L3 switch.



The expected results are:
SW1 pings all hosts (R2 - R6)
R2 pings SW1, R3 and R6
R3 pings SW1, R2 and R6
R4 pings SW1 and R6
R5 pings SW1 and R6
R6 pings all hosts (R2 - R6)

Well, first, configure all R2 - R6 interfaces on the same subnet:
Pod1-R2#sh run int fa 0/0 | beg int
interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
end

Pod1-R3#sh run int fa 0/0 | beg int
interface FastEthernet0/0
ip address 10.0.0.3 255.255.255.0
duplex auto
speed auto
end

Pod1-R4#sh run int fa 0/0 | beg int
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
duplex auto
speed auto
end

Pod1-R5#sh run int fa 0/0 | beg int
interface FastEthernet0/0
ip address 10.0.0.5 255.255.255.0
duplex auto
speed auto
end

Pod1-R6#sh run int fa 0/1 | beg int
interface FastEthernet0/1
ip address 10.0.0.6 255.255.255.0
duplex auto
speed auto
end


Ok, hosts are ready, no special configuration is required, note that they're all in the same subnet.
Now on SW1 we must create the vlans, vlan 10 is the primary, and 101-102 are secondary.

SW1(config)#
vlan 101
private-vlan community
!
vlan 102
private-vlan isolated
!
vlan 10
private-vlan primary
private-vlan association 101-102

well done, let's verify with:

SW1#sh vlan private-vlan

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 101 community
10 102 isolated

There are no ports assigned to the private vlans, so let's configure it!

SW1#sh cdp nei | inc R2
Pod1-R2 Fas 1/0/11 139 R S I 2621 Fas 0/0
SW1#sh run int fa 1/0/11 | beg int
interface FastEthernet1/0/11
description SW1 <-> R2
switchport private-vlan host-association 10 101
switchport mode private-vlan host
spanning-tree portfast
end

SW1#sh cdp nei | inc R3
Pod1-R3 Fas 1/0/4 144 R S I 2621 Fas 0/0
SW1#sh run int fa 1/0/4 | beg int
interface FastEthernet1/0/4
description SW1 <-> R3
switchport private-vlan host-association 10 101
switchport mode private-vlan host
spanning-tree portfast
end

SW1#sh cdp nei | inc R4
Pod1-R4 Fas 1/0/9 128 R S I 2621 Fas 0/0
SW1#sh run int fa 1/0/9 | beg int
interface FastEthernet1/0/9
description SW1 <-> R4
switchport private-vlan host-association 10 102
switchport mode private-vlan host
spanning-tree portfast
end

SW1#sh cdp nei | inc R5
Pod1-R5 Fas 2/0/11 164 R S I 2621 Fas 0/0
SW1#sh run int fa 2/0/11 | beg int
interface FastEthernet2/0/11
description SW1 <-> R5
switchport private-vlan host-association 10 102
switchport mode private-vlan host
spanning-tree portfast
end

SW1#sh cdp nei | inc R6
Pod1-R6 Fas 2/0/2 146 R S I 2621 Fas 0/1
SW1#sh run int fa 2/0/2 | beg int
interface FastEthernet2/0/2
description SW1 <-> R6
switchport private-vlan mapping 10 101-102
switchport mode private-vlan promiscuous
end

SW1#

let's verify if the L2 ports are correctly assigned to the private vlans:

SW1#sh vlan private-vlan

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 101 community Fa1/0/4, Fa1/0/11, Fa2/0/2
10 102 isolated Fa1/0/9, Fa2/0/2, Fa2/0/11

Ok, Fa 2/0/2 is assigned to both the secondary vlans, due to the promiscuous mode.

Now we must complete the configuration with the L3 interface on SW1, basically we have to map the secondary private vlans to the L3 svi interface:
SW1#sh run int vlan 10 | beg int
interface Vlan10
ip address 10.0.0.1 255.255.255.0
private-vlan mapping 101-102
end

SW1#sh int vlan 10 private-vlan mapping
Interface Secondary VLANs
--------- --------------------------------------------------------------------
vlan10 101, 102
SW1#


well done, let's verify our results:
1) SW1 pings all hosts (R2 - R6)
SW1#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW1#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
SW1#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
SW1#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW1#ping 10.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW1#

2) R2 pings SW1, R3 and R6
Pod1-R2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pod1-R2#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R2#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R2#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R2#ping 10.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R2#

3) R3 pings SW1, R2 and R6
Pod1-R3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R3#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R3#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R3#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R3#ping 10.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pod1-R3#

4) R4 pings SW1 and R6
Pod1-R4#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R4#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R4#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R4#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R4#ping 10.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R4#

5) R5 pings SW1 and R6
Pod1-R5#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pod1-R5#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R5#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R5#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Pod1-R5#ping 10.0.0.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R5#

6) R6 pings all hosts (R2 - R6)
Pod1-R6#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pod1-R6#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R6#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Pod1-R6#ping 10.0.0.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R6#ping 10.0.0.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Pod1-R6#


well, seems that all is working as expected, isolated ports can ping only the L3 primary vlan svi and the promiscouous ports...

Let's take a look to the arp table and mac-address-table of SW1, they looks pretty unusual:
SW1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.0.2 8 0014.a925.72a0 ARPA Vlan10 pv 101
Internet 10.0.0.3 5 0014.a925.4cd8 ARPA Vlan10 pv 101
Internet 10.0.0.1 - 0014.a98c.87c1 ARPA Vlan10
Internet 10.0.0.6 70 0014.a909.78d1 ARPA Vlan10
Internet 10.0.0.4 4 0014.a909.7870 ARPA Vlan10 pv 102
Internet 10.0.0.5 4 0014.a925.6460 ARPA Vlan10 pv 102

SW1#sh mac-address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
....
10 0014.a909.7870 DYNAMIC pv Fa1/0/9
10 0014.a909.78d1 DYNAMIC Fa2/0/2
10 0014.a925.4cd8 DYNAMIC pv Fa1/0/4
10 0014.a925.6460 DYNAMIC pv Fa2/0/11
10 0014.a925.72a0 DYNAMIC pv Fa1/0/11
101 0014.a909.78d1 DYNAMIC pv Fa2/0/2
101 0014.a925.4cd8 DYNAMIC Fa1/0/4
101 0014.a925.72a0 DYNAMIC Fa1/0/11
102 0014.a909.7870 BLOCKED Fa1/0/9
102 0014.a909.78d1 DYNAMIC pv Fa2/0/2
102 0014.a925.6460 BLOCKED Fa2/0/11

SW1#


note that isolated hosts have "BLOCKED" mac-address in the mac-address-table!

No comments: