What is a Private VLAN?
Cisco describes a Private VLAN as a suitable solution for ISPs, addressing issues with the maximum number of VLANs and addressing (we can use the same range for multiple clients). However, it is certainly a useful feature for other situations as well. For example, various quarantine and guest networks (VLANs) where we prevent communication between individual clients.
A Private VLAN is a protective feature for switches that provides L2 (Layer 2 of the OSI model) isolation between ports within the same VLAN. Thus, it prevents communication between clients within the same subnet (which normally works by forwarding packets on the switch using MAC addresses). The result is that clients are in the same IP subnet (and VLAN), have the same address range, but cannot communicate with each other. This also divides the VLAN into several isolated broadcast domains or subdomains (broadcasts and multicasts are not propagated).
If we need to communicate between certain clients (a typical example is a gateway), we can use special ports (promiscuous ports) where normal communication is possible. Alternatively, communication can occur through some L3 device (router, L3 switch), where we can easily secure communication using ACLs. In this case, however, we must ensure that all communication (even within the same subnet) goes to the gateway and then route it back to the subnet.
A Private VLAN is not limited to one switch but can be transmitted over a trunk port (where the VLAN must be allowed) to other switches that support PVLAN. Unfortunately, VTP (VLAN Trunking Protocol) does not support Private VLAN, so it would not transfer information about the PVLAN type and port mapping. Therefore, all switches where we want to use PVLAN must be in VTP transparent mode (i.e., VTP disabled). We can take advantage of setting the switch to VTP client mode, downloading the VLANs, and then switching it to transparent mode.
Note: Not all switches and IOS versions support PVLAN. The main ones that do are Catalyst 3560, 3750, 4500, 6500. For Catalyst 3560 and 3750, it is only in newer IOS versions 12.2(20) and for PVLAN support along with Port Security, version 12.2(40) is required.
How does a Private VLAN work?
The first and fundamental idea is that a Private VLAN is not a single VLAN, but a group of at least two VLANs (sometimes explained as having a VLAN that contains sub-VLANs). Thus, creating a single PVLAN consumes at least two VLAN numbers, but we can place, for example, ten different clients/customers here, for whom everything will appear as if they are alone in their VLAN. To ensure different behaviors (different levels of communication) for different clients, we use several types of PVLANs and ports.
Within a PVLAN, we have three types of ports, and their communication is restricted accordingly. These are:
- Promiscuous (P) - can communicate with all ports, traditionally set for the port connected to the router (GW) so that clients can communicate outside the subnet (or other servers that each client must communicate with)
- Isolated (I) - traditional PVLAN port, completely L2 isolated from other ports within the same PVLAN, can only communicate with Promiscuous ports
- Community (C) - communicates with other ports within the same Community and with promiscuous ports
The Private VLAN (or PVLAN domain) itself consists of multiple VLANs. It is formed by one or more pairs, always using the same primary VLAN and different secondary VLANs. A secondary VLAN can be either isolated or community. Thus, in the end, we have three different types of VLANs that can be used when creating a PVLAN.
- Primary VLAN - encapsulates the entire structure and allows communication with Promiscuous ports, there is only one within a PVLAN
- Isolated VLAN - contains Isolated ports that cannot communicate with each other, there is only one within a PVLAN
- Community VLAN - contains Community ports that can communicate with each other (forming one community), we can have multiple independent communities within a PVLAN
To use PVLAN, we must meet several conditions. For the actual configuration, the switch must be in VTP Transparent mode (see above). We cannot configure a trunk port, port-channel, port with dynamic VLAN membership, SPAN target (but source is allowed), and some others as a PVLAN port.
Note: A Private VLAN is transmitted over a trunk just like normal VLANs. This means that if we do not create the same configuration on the other switch, normal communication will be possible within a single VLAN (sub-VLAN), and conversely, communication with the promiscuous port will not be possible (in the normal view, it is in a different VLAN).
Configuring a Private VLAN
For PVLAN, we can use standard VLANs, numbers 2 to 1001 (VLAN 1 cannot be used), and also extended VLANs, numbers 1006 to 4094. The first step is to ensure that the switch is in VTP Transparent mode, we can use the command:
SWITCH(config)#vtp mode transparent
First, we create the individual VLANs of the required types. We can create multiple community VLANs for one PVLAN.
SWITCH(config)#vlan 100 SWITCH(config-vlan)#private-vlan primary SWITCH(config)#vlan 101 SWITCH(config-vlan)#private-vlan isolated SWITCH(config)#vlan 102 SWITCH(config-vlan)#private-vlan community
Next, we must associate the primary VLAN with the secondary VLANs. This creates an association for syntax and VLAN type checking.
SWITCH(config)#vlan 100
SWITCH(config-vlan)#private-vlan association 101,102 // we can also use a range with a dash and keywords add, remove
We can check the created VLANs with the commands:
SWITCH#show vlan // complete listing, PVLANs are at the bottom SWITCH#show vlan private-vlan // only PVLANs SWITCH#show interfaces private-vlan mapping // displays SVI mapping SWITCH#show interfaces switchport // information about port assignment to PVLAN
In the second part of the configuration, we assign ports to individual PVLANs. This is done differently than the usual port assignment to a VLAN. Here we set a special mode private-vlan host
(instead of access
) for the port. We must also specify the association, where the primary VLAN and the secondary VLAN to which the port belongs are.
// port g1/0/3 is an Isolated port in VLAN 101 (primary 100)
SWITCH(config)#interface g1/0/3
SWITCH(config-if)#switchport mode private-vlan host
SWITCH(config-if)#switchport private-vlan host-association 100 101
// port g1/0/4 is a Community port in VLAN 102 (primary 100)
SWITCH(config)#interface g1/0/4
SWITCH(config-if)#switchport mode private-vlan host
SWITCH(config-if)#switchport private-vlan host-association 100 102
The Promiscuous port is directly in the primary VLAN (if it can be said that way) and its configuration is again different. Here we define the mapping with which secondary VLANs it can communicate.
// port g1/0/5 is a Promiscuous port in VLAN 100 (mapped to secondary VLAN 101 and 102) SWITCH(config)#interface g1/0/5 SWITCH(config-if)#switchport mode private-vlan promiscuous SWITCH(config-if)#switchport private-vlan mapping 100 101,102 // we can also use a dash, add, remove
As a small note, it is also possible to write:
SWITCH(config-if)#switchport private-vlan association host 100 101 SWITCH(config-if)#switchport private-vlan association mapping 100 101,102
In the case where we will use inter-VLAN routing (the GW is not a special device but an L3 switch), we create a SVI (Switch Virtual Interface = VLAN interface) for the private VLAN. Then we need to map the secondary VLANs with this SVI (as with the P-port).
SWITCH(config)#interface vlan 100 SWITCH(config-if)#ip address 192.168.10.2 255.255.255.0 SWITCH(config-if)#private-vlan mapping 101,102
Final note. The configuration of ports seems a bit overcomplicated to me. Already when defining VLANs, I specify the association between primary and secondary VLANs, so I think it would be enough to specify only the secondary VLAN on the port, and everything is clear. Why specify the association between primary and secondary VLANs again? Only if a secondary VLAN can be associated with multiple primary VLANs. It is also stated in the description that the P-port communicates with all I-ports and C-ports, but in the configuration, I can select only certain I and C VLANs.
Protected Port (PVLAN Edge)
Protected Ports (in some Cisco documentation referred to as PVLAN Edge) is a simplified version of Private VLAN. It ensures that no traffic is forwarded on the L2 layer (i.e., using MAC addresses within the subnet) between ports set to Protected mode. Two important properties are that Protected Ports have only local significance on the switch/stack (but do not work between protected ports located on different switches). Traffic between a normal port and a protected port (within the same VLAN) occurs normally. Only traffic between protected ports within the VLAN and switch is restricted.
Note: Just information for beginners. Even though we enter an IP address for communication (which is L3), communication within the same subnet occurs on L2 (the IP is used to find the MAC, which is then used).
SWITCH(config)#interface G1/0/1 SWITCH(config-if)#switchport protected // enables L2 protection on the port SWITCH#show interface G1/0/1 switchport // the port information also indicates whether the port is protected
Note: The main switches that support Protected Ports are Catalyst 2960, 2970, 3560, 3550, 3750.
Protected Ports are simple and work well, the only limitation is that they only work within a single switch/stack. Also, Protected Ports and Private VLAN should not be configured together on one port.
Port Blocking - unicast, multicast
Just as brief information, I will add another security feature for port protection (often associated with Protected Ports). Although I am not sure about its practical use. It is about blocking unknown unicasts and multicasts. If a frame with an unknown destination MAC address arrives at the switch, it is sent to all ports except the incoming one (thus acting as a broadcast or like on a Hub). Cisco allows setting a mechanism on the port that discards such an incoming packet (instead of sending it everywhere).
The switch maintains a CAM table (Content Addressable Memory), which contains the association of MAC addresses and ports where they are located. An entry in this table is created when a frame is received from a port with a certain source MAC address. This entry is retained (if no other frame is received) for the duration of the MAC Address Aging Time, which is 5 minutes by default. So as long as the station behind the port sends a frame at least once every 5 minutes (which Windows does automatically much more often), everything is OK. However, if the station sends nothing, then with the setting to block unknown unicast/multicast, the communication will not pass. But this prevents any frame from reaching a port where it does not belong.
The configuration is done simply on the port that should not send to unknown MAC addresses.
SWITCH(config-if)#switchport block multicast SWITCH(config-if)#switchport block unicast
Doplneni - Protected Port - mezi dvema porty je mozna pouze L3 komunikace. Na routeru vsak musi byt zapnuta local-proxy-arp.
Obdivuji tvuj cas a vuli psat takove clanky. Obcas sem zabrousim abych si neco ozrejmil.
Mozna by stalo za zminku u vlan doplnit, ze novejsi switche umi QinQ. Obcas se to muze hodit.
Super clanky. Kolikrat se snazim to pochopit z anglictiny na Cisco webu a nekdy se fakt nedari . Diky moc!
Zdravim, je mozne .. ? V ramci Private VLAN na switchi (treba c3560), ktery dela interVLAN-routing, ma nastavene typy a asociace private-vlan, vsechny jeho porty jsou trunk. Vlany bych priradil az na koncove porty pres trunk pripojene hloupejsi c3550ky, ktera Private VLAN neumi. Jak by se to chovalo? Fungovala by izolace mezi porty c3550, pokud by byl kazdy v jine VLANe?
Diky za paradni web a obrovske know-how!
Ještě bych doplnil, že PVLAN nejdou nastavit u switchů s LANBASE licencí. Tato funkcionalita je tam zakázaná. Aby si někdo nemyslel, že tam bude PVLAN v základu.