EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco IOS 19 - Private VLAN a Protected Port

Cisco IOS 19 - Private VLAN and Protected Port

| Petr Bouška - Samuraj |
Sometimes a situation may arise when we want to limit communication between some clients within the same subnet (VLANS). For example, so that clients cannot communicate with each other, but can communicate on the Internet. A technology called Private VLAN will serve us well for this. Alternatively, the simpler Protected Ports mechanism. Finally, I mention the mechanism that blocks unknown unicasts or multicasts.
displayed: 29 703x (29 683 CZ, 20 EN) | Comments [5]

What is a Private VLAN?

Cisco describes a Private VLAN as a suitable solution for ISPs, addressing issues with the maximum number of VLANs and addressing (we can use the same range for multiple clients). However, it is certainly a useful feature for other situations as well. For example, various quarantine and guest networks (VLANs) where we prevent communication between individual clients.

A Private VLAN is a protective feature for switches that provides L2 (Layer 2 of the OSI model) isolation between ports within the same VLAN. Thus, it prevents communication between clients within the same subnet (which normally works by forwarding packets on the switch using MAC addresses). The result is that clients are in the same IP subnet (and VLAN), have the same address range, but cannot communicate with each other. This also divides the VLAN into several isolated broadcast domains or subdomains (broadcasts and multicasts are not propagated).

If we need to communicate between certain clients (a typical example is a gateway), we can use special ports (promiscuous ports) where normal communication is possible. Alternatively, communication can occur through some L3 device (router, L3 switch), where we can easily secure communication using ACLs. In this case, however, we must ensure that all communication (even within the same subnet) goes to the gateway and then route it back to the subnet.

A Private VLAN is not limited to one switch but can be transmitted over a trunk port (where the VLAN must be allowed) to other switches that support PVLAN. Unfortunately, VTP (VLAN Trunking Protocol) does not support Private VLAN, so it would not transfer information about the PVLAN type and port mapping. Therefore, all switches where we want to use PVLAN must be in VTP transparent mode (i.e., VTP disabled). We can take advantage of setting the switch to VTP client mode, downloading the VLANs, and then switching it to transparent mode.

Note: Not all switches and IOS versions support PVLAN. The main ones that do are Catalyst 3560, 3750, 4500, 6500. For Catalyst 3560 and 3750, it is only in newer IOS versions 12.2(20) and for PVLAN support along with Port Security, version 12.2(40) is required.

How does a Private VLAN work?

The first and fundamental idea is that a Private VLAN is not a single VLAN, but a group of at least two VLANs (sometimes explained as having a VLAN that contains sub-VLANs). Thus, creating a single PVLAN consumes at least two VLAN numbers, but we can place, for example, ten different clients/customers here, for whom everything will appear as if they are alone in their VLAN. To ensure different behaviors (different levels of communication) for different clients, we use several types of PVLANs and ports.

Within a PVLAN, we have three types of ports, and their communication is restricted accordingly. These are:

  • Promiscuous (P) - can communicate with all ports, traditionally set for the port connected to the router (GW) so that clients can communicate outside the subnet (or other servers that each client must communicate with)
  • Isolated (I) - traditional PVLAN port, completely L2 isolated from other ports within the same PVLAN, can only communicate with Promiscuous ports
  • Community (C) - communicates with other ports within the same Community and with promiscuous ports

The Private VLAN (or PVLAN domain) itself consists of multiple VLANs. It is formed by one or more pairs, always using the same primary VLAN and different secondary VLANs. A secondary VLAN can be either isolated or community. Thus, in the end, we have three different types of VLANs that can be used when creating a PVLAN.

  • Primary VLAN - encapsulates the entire structure and allows communication with Promiscuous ports, there is only one within a PVLAN
  • Isolated VLAN - contains Isolated ports that cannot communicate with each other, there is only one within a PVLAN
  • Community VLAN - contains Community ports that can communicate with each other (forming one community), we can have multiple independent communities within a PVLAN
Private VLAN schéma

To use PVLAN, we must meet several conditions. For the actual configuration, the switch must be in VTP Transparent mode (see above). We cannot configure a trunk port, port-channel, port with dynamic VLAN membership, SPAN target (but source is allowed), and some others as a PVLAN port.

Note: A Private VLAN is transmitted over a trunk just like normal VLANs. This means that if we do not create the same configuration on the other switch, normal communication will be possible within a single VLAN (sub-VLAN), and conversely, communication with the promiscuous port will not be possible (in the normal view, it is in a different VLAN).

Configuring a Private VLAN

For PVLAN, we can use standard VLANs, numbers 2 to 1001 (VLAN 1 cannot be used), and also extended VLANs, numbers 1006 to 4094. The first step is to ensure that the switch is in VTP Transparent mode, we can use the command:

SWITCH(config)#vtp mode transparent

First, we create the individual VLANs of the required types. We can create multiple community VLANs for one PVLAN.

SWITCH(config)#vlan 100
SWITCH(config-vlan)#private-vlan primary
SWITCH(config)#vlan 101
SWITCH(config-vlan)#private-vlan isolated
SWITCH(config)#vlan 102
SWITCH(config-vlan)#private-vlan community

Next, we must associate the primary VLAN with the secondary VLANs. This creates an association for syntax and VLAN type checking.

SWITCH(config)#vlan 100
SWITCH(config-vlan)#private-vlan association 101,102 // we can also use a range with a dash and keywords add, remove

We can check the created VLANs with the commands:

SWITCH#show vlan // complete listing, PVLANs are at the bottom
SWITCH#show vlan private-vlan // only PVLANs
SWITCH#show interfaces private-vlan mapping // displays SVI mapping
SWITCH#show interfaces switchport // information about port assignment to PVLAN

In the second part of the configuration, we assign ports to individual PVLANs. This is done differently than the usual port assignment to a VLAN. Here we set a special mode private-vlan host (instead of access) for the port. We must also specify the association, where the primary VLAN and the secondary VLAN to which the port belongs are.

// port g1/0/3 is an Isolated port in VLAN 101 (primary 100)
SWITCH(config)#interface g1/0/3
SWITCH(config-if)#switchport mode private-vlan host
SWITCH(config-if)#switchport private-vlan host-association 100 101
// port g1/0/4 is a Community port in VLAN 102 (primary 100)
SWITCH(config)#interface g1/0/4
SWITCH(config-if)#switchport mode private-vlan host
SWITCH(config-if)#switchport private-vlan host-association 100 102

The Promiscuous port is directly in the primary VLAN (if it can be said that way) and its configuration is again different. Here we define the mapping with which secondary VLANs it can communicate.

// port g1/0/5 is a Promiscuous port in VLAN 100 (mapped to secondary VLAN 101 and 102)
SWITCH(config)#interface g1/0/5
SWITCH(config-if)#switchport mode private-vlan promiscuous
SWITCH(config-if)#switchport private-vlan mapping 100 101,102 // we can also use a dash, add, remove

As a small note, it is also possible to write:

SWITCH(config-if)#switchport private-vlan association host 100 101
SWITCH(config-if)#switchport private-vlan association mapping 100 101,102

In the case where we will use inter-VLAN routing (the GW is not a special device but an L3 switch), we create a SVI (Switch Virtual Interface = VLAN interface) for the private VLAN. Then we need to map the secondary VLANs with this SVI (as with the P-port).

SWITCH(config)#interface vlan 100
SWITCH(config-if)#ip address 192.168.10.2 255.255.255.0
SWITCH(config-if)#private-vlan mapping 101,102

Final note. The configuration of ports seems a bit overcomplicated to me. Already when defining VLANs, I specify the association between primary and secondary VLANs, so I think it would be enough to specify only the secondary VLAN on the port, and everything is clear. Why specify the association between primary and secondary VLANs again? Only if a secondary VLAN can be associated with multiple primary VLANs. It is also stated in the description that the P-port communicates with all I-ports and C-ports, but in the configuration, I can select only certain I and C VLANs.

Protected Port (PVLAN Edge)

Protected Ports (in some Cisco documentation referred to as PVLAN Edge) is a simplified version of Private VLAN. It ensures that no traffic is forwarded on the L2 layer (i.e., using MAC addresses within the subnet) between ports set to Protected mode. Two important properties are that Protected Ports have only local significance on the switch/stack (but do not work between protected ports located on different switches). Traffic between a normal port and a protected port (within the same VLAN) occurs normally. Only traffic between protected ports within the VLAN and switch is restricted.

Note: Just information for beginners. Even though we enter an IP address for communication (which is L3), communication within the same subnet occurs on L2 (the IP is used to find the MAC, which is then used).

SWITCH(config)#interface G1/0/1
SWITCH(config-if)#switchport protected // enables L2 protection on the port
SWITCH#show interface G1/0/1 switchport // the port information also indicates whether the port is protected

Note: The main switches that support Protected Ports are Catalyst 2960, 2970, 3560, 3550, 3750.

Protected Ports are simple and work well, the only limitation is that they only work within a single switch/stack. Also, Protected Ports and Private VLAN should not be configured together on one port.

Port Blocking - unicast, multicast

Just as brief information, I will add another security feature for port protection (often associated with Protected Ports). Although I am not sure about its practical use. It is about blocking unknown unicasts and multicasts. If a frame with an unknown destination MAC address arrives at the switch, it is sent to all ports except the incoming one (thus acting as a broadcast or like on a Hub). Cisco allows setting a mechanism on the port that discards such an incoming packet (instead of sending it everywhere).

The switch maintains a CAM table (Content Addressable Memory), which contains the association of MAC addresses and ports where they are located. An entry in this table is created when a frame is received from a port with a certain source MAC address. This entry is retained (if no other frame is received) for the duration of the MAC Address Aging Time, which is 5 minutes by default. So as long as the station behind the port sends a frame at least once every 5 minutes (which Windows does automatically much more often), everything is OK. However, if the station sends nothing, then with the setting to block unknown unicast/multicast, the communication will not pass. But this prevents any frame from reaching a port where it does not belong.

The configuration is done simply on the port that should not send to unknown MAC addresses.

SWITCH(config-if)#switchport block multicast
SWITCH(config-if)#switchport block unicast

References

Author:

Related articles:

Cisco IOS

A large series about the operating system of Cisco's active elements. It contains some of the most read articles on this site. The articles describe the configuration of switches and routers, primarily with Cisco IOS. Things about ports, VLANs, STP, ACLs, QoS, etc.

If you want write something about this article use comments.

Comments
  1. [1] p.ba

    Doplneni - Protected Port - mezi dvema porty je mozna pouze L3 komunikace. Na routeru vsak musi byt zapnuta local-proxy-arp.

    Thursday, 04.06.2009 09:32 | answer
  2. [2] Honza

    Obdivuji tvuj cas a vuli psat takove clanky. Obcas sem zabrousim abych si neco ozrejmil.

    Mozna by stalo za zminku u vlan doplnit, ze novejsi switche umi QinQ. Obcas se to muze hodit.

    Friday, 28.08.2009 14:16 | answer
  3. [3] Ondrej

    Super clanky. Kolikrat se snazim to pochopit z anglictiny na Cisco webu a nekdy se fakt nedari :-);-). Diky moc!

    Sunday, 05.06.2011 18:21 | answer
  4. [4] Kelly

    Zdravim, je mozne .. ? V ramci Private VLAN na switchi (treba c3560), ktery dela interVLAN-routing, ma nastavene typy a asociace private-vlan, vsechny jeho porty jsou trunk. Vlany bych priradil az na koncove porty pres trunk pripojene hloupejsi c3550ky, ktera Private VLAN neumi. Jak by se to chovalo? Fungovala by izolace mezi porty c3550, pokud by byl kazdy v jine VLANe?

    Diky za paradni web a obrovske know-how!

    Friday, 20.01.2012 01:29 | answer
  5. [5] Hans

    Ještě bych doplnil, že PVLAN nejdou nastavit u switchů s LANBASE licencí. Tato funkcionalita je tam zakázaná. Aby si někdo nemyslel, že tam bude PVLAN v základu.

    Tuesday, 27.03.2012 16:26 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)