Private VLAN

Yêu cầu:

1. A truy cập được S; A không được phép truy cập B & C

2. B & C truy cập được S; B & C không truy cập được A; B & C truy cập được với nhau.

➔ Để giải quyết yêu cầu này thì có thể dùng một trong hai cách: Private VLAN hoặc ACL VLAN

Nội dung:

1. Protected port

• Mặc định thì tất cả các Switch có các port ở dạng Unprotected

• Protected port được dùng cho việc Access Switch

PC1----------Switch----------PC2

PC1 & PC2 cùng VLAN

SW(config-if)# [no] switchport protected

→ PC1 & PC2 có thể truy cập được với nhau.

2. PVLANs

• Private VLAN được chia làm 2 loại: Primary VLAN & Secondary VLAN

• Secondary VLAN cũng có 2 loại: Isolated & Community

• 1 Host thuộc Isolated VLAN chỉ kết nối được với Host trên Promiscuous Port thuộc Primary VLANs

• 1 Host thuộc Community VLAN thì truyền thông được với các Hosts cùng Community VLAN, không truy cập được với Hosts khác Community VLANs & truy cập được Promiscuous port thuộc Primary VLANs

• Support Switch 3560

3. Cấu hình Isolated PVLANs

• Set Switch về mode VTP Transparent

• Tạo Secondary VLAN

• Tạo Primary VLAN

• Liên kết Secondary & Primary

• Cấu hình Port host thuộc Secondary; Promiscuous Port thuộc Primary

• Gắn Port host vào Secondary VLAN tương ứng

• Map Port host vào Promiscuous để các host “thấy nhau”.

4. Triển khai PVLANs

Example Lab 1:

Lưu ý: Dùng Cisco IOU để demo.

PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

• Promiscuous — A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

• Isolated — An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports.

• Community — Community ports communicate among themselves and with promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

IP Addressing

All the members of the Private VLAN can share a common IP Space where the IP space is assigned to the Primary VLAN. The hosts connected to isolated or community ports can have the addresses assigned from the address space of the Primary VLAN.

Steps to Configure Private VLAN

1. Set VTP mode to transparent

2. Create Primary and Secondary VLANs

3. Map secondary VLANs to Primary VLANs

4. Configure ports in Secondary VLANs and assign VLAN memberships

5. Configure Promiscuous ports and map them to primary-secondary VLAN pairs

Configuration:

Switches S1 and S2  must be configured as follows:

Create vlans 101 and 102 and then associate them to the primary Vlan 100.

vlan 100

 private-vlan primary

 private-vlan association 101-102

!

vlan 101

 private-vlan community

!

vlan 102

 private-vlan community

On S1:

interface FastEthernet0/1

switchport

switchport private-vlan mapping 100 101-102

switchport mode private-vlan promiscuous

!

interface FastEthernet0/3

switchport

switchport private-vlan host-association 100 101

switchport mode private-vlan host

!

interface FastEthernet0/5

switchport

switchport private-vlan host-association 100 102

switchport mode private-vlan host

!

interface FastEthernet0/13

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

 

On S2:

interface GigabitEthernet0/4

switchport private-vlan host-association 100 101

switchport mode private-vlan host

!

interface GigabitEthernet0/6

switchport private-vlan host-association 100 102

switchport mode private-vlan host

!

interface GigabitEthernet0/13

switchport trunk encapsulation dot1q

switchport mode trunk

 

Example Lab 2:

The objective of this lab is to configure SW1 and SW2 in a way that:

• PC1 and PC2 cannot communicate with PC3 and PC4

• PC1, PC2, PC3, and PC4 should each be allowed to communicate with the TFP-Server connected to port Fa0/8 of SW1

Also remember: Private VLANs require VTP to run in transparent mode!

 

Example Lab 3:

Today we’ll go over Private VLANs (PVLANs) in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:

• Promiscuous ports – These will be the “open ports” of the PVLANs, they can communicate with all other ports.

• Community ports – These ports can communicate with other community ports and promiscuous ports.

• Isolated ports – These can ONLY communicate with promiscuous ports.

There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. That’s the scenario we’ll be using today. This is our topology:

 

Here we see VLAN 50 as the primary (parent VLAN), then VLAN 51 is for community ports, and VLAN 52 is for isolate ports. In this example we have a Webserver (Gi0/5) and DB Server (Gi0/6) allowed to communicate with each other. Then we have two mailservers (Gi0/6, and Gi0/7) which are not allowed to communicate. We also have a router (Gi0/1) which will be our promiscuous port. Here’s the config:

 

 

Here we define our VLANs. VLAN 50 is the primary (basically parent) VLAN, then we have VLAN 51, which is for the community ports and VLAN 52, which is for the isolated ports. Now the interface config:

 

 

We have associated the appropriate interfaces with the appropriate VLANs. We also made the router’s port promiscuous.

Now let’s look at some show commands:

 

 

You can see both VLANs and that each port is where it should be also that the router’s port is in both the community and isolated VLANs.

We’re done. We have full communication between the Web and DB servers, while the two Mailservers can only communicate with the router. I hope someone finds this useful.