Private VLAN
Yêu cầu:
A truy cập được S; A không được phép truy cập B & C
B & C truy cập được S; B & C không truy cập được A; B & C truy cập được với nhau.
Để giải quyết yêu cầu này thì có thể dùng một trong hai cách: Private VLAN hoặc ACL VLAN
Nội dung:
1. Protected port
Mặc định thì tất cả các Switch có các port ở dạng Unprotected
Protected port được dùng cho việc Access Switch
PC1----------Switch----------PC2
PC1 & PC2 cùng VLAN
SW[config-if]# [no] switchport protected
PC1 & PC2 có thể truy cập được với nhau.
2. PVLANs
Private VLAN được chia làm 2 loại: Primary VLAN & Secondary VLAN
Secondary VLAN cũng có 2 loại: Isolated & Community
1 Host thuộc Isolated VLAN chỉ kết nối được với Host trên Promiscuous Port thuộc Primary VLANs
1 Host thuộc Community VLAN thì truyền thông được với các Hosts cùng Community VLAN, không truy cập được với Hosts khác Community VLANs & truy cập được Promiscuous port thuộc Primary VLANs
Support Switch 3560
3. Cấu hình Isolated PVLANs
Set Switch về mode VTP Transparent
Tạo Secondary VLAN
Tạo Primary VLAN
Liên kết Secondary & Primary
Cấu hình Port host thuộc Secondary; Promiscuous Port thuộc Primary
Gắn Port host vào Secondary VLAN tương ứng
Map Port host vào Promiscuous để các host thấy nhau.
4. Triển khai PVLANs
Example Lab 1:
Lưu ý: Dùng Cisco IOU để demo.
PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:
Promiscuous A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from an isolated port is forwarded only to promiscuous ports.
Community Community ports communicate among themselves and with promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
IP Addressing
All the members of the Private VLAN can share a common IP Space where the IP space is assigned to the Primary VLAN. The hosts connected to isolated or community ports can have the addresses assigned from the address space of the Primary VLAN.
Steps to Configure Private VLAN
Set VTP mode to transparent
Create Primary and Secondary VLANs
Map secondary VLANs to Primary VLANs
Configure ports in Secondary VLANs and assign VLAN memberships
Configure Promiscuous ports and map them to primary-secondary VLAN pairs
Configuration:
Switches S1 and S2 must be configured as follows:
Create vlans 101 and 102 and then associate them to the primary Vlan 100.
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan community
!
vlan 102
private-vlan community
On S1:
interface FastEthernet0/1
switchport
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
switchport
switchport private-vlan host-association 100 101
switchport mode private-vlan host
!
interface FastEthernet0/5
switchport
switchport private-vlan host-association 100 102
switchport mode private-vlan host
!
interface FastEthernet0/13
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
On S2:
interface GigabitEthernet0/4
switchport private-vlan host-association 100 101
switchport mode private-vlan host
!
interface GigabitEthernet0/6
switchport private-vlan host-association 100 102
switchport mode private-vlan host
!
interface GigabitEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
Example Lab 2:
The objective of this lab is to configure SW1 and SW2 in a way that:
PC1 and PC2 cannot communicate with PC3 and PC4
PC1, PC2, PC3, and PC4 should each be allowed to communicate with the TFP-Server connected to port Fa0/8 of SW1
Also remember: Private VLANs require VTP to run in transparent mode!
Example Lab 3:
Today well go over Private VLANs [PVLANs] in Cisco IOS. PVLANs segregate VLANs even further than normal, they are basically VLANs inside of VLANs. The ports share a subnet, but can be prevented from communicating. They use different port types:
Promiscuous ports These will be the open ports of the PVLANs, they can communicate with all other ports.
Community ports These ports can communicate with other community ports and promiscuous ports.
Isolated ports These can ONLY communicate with promiscuous ports.
There are different uses for PVLANs. They are used by service providers to allow customer security while sharing a single subnet. Another use could be for DMZ hosts in an enterprise environment. If one host is compromised its ability to inflict damage to the other hosts will be severely limited. Thats the scenario well be using today. This is our topology:
Here we see VLAN 50 as the primary [parent VLAN], then VLAN 51 is for community ports, and VLAN 52 is for isolate ports. In this example we have a Webserver [Gi0/5] and DB Server [Gi0/6] allowed to communicate with each other. Then we have two mailservers [Gi0/6, and Gi0/7] which are not allowed to communicate. We also have a router [Gi0/1] which will be our promiscuous port. Heres the config:
vlan 50
private-vlan primary
!
vlan 51
private-vlan community
!
vlan 52
private-vlan isolated
!
vlan 50
private-vlan association 51,52
Here we define our VLANs. VLAN 50 is the primary [basically parent] VLAN, then we have VLAN 51, which is for the community ports and VLAN 52, which is for the isolated ports. Now the interface config:
interface Gi0/5
switchport mode private-vlan host
switchport private-vlan host-association 50 51
!
interface Gi0/6
switchport mode private-vlan host
switchport private-vlan host-association 50 51
!
interface Gi0/7
switchport mode private-vlan host
switchport private-vlan host-association 50 52
!
interface Gi0/8
switchport mode private-vlan host
switchport private-vlan host-association 50 52
!
interface Gi0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 50 add 51,52
We have associated the appropriate interfaces with the appropriate VLANs. We also made the routers port promiscuous.
Now lets look at some show commands:
CORE#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ---------------------
50 51 community Gi0/5, Gi0/6, Gi0/1
50 52 isolated Gi0/7, Gi0/8, Gi0/1
CORE#sh vlan private-vlan type
Vlan Type
---- -----------------
50 primary
51 community
52 isolated
You can see both VLANs and that each port is where it should be also that the routers port is in both the community and isolated VLANs.
Were done. We have full communication between the Web and DB servers, while the two Mailservers can only communicate with the router. I hope someone finds this useful.