Education – Australia / New Zealand

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
New Member

Private VLANs

Private VLANs are a great way to segregate existing VLANs into

multiple sets of ports to isolate traffic.  Today I’m going to show how to configure Isolated VLANs within private VLANs so devices connected to switch ports cannot exchange traffic. Traffic coming into an isolated port can only go out through an Uplink to the Primary VLAN.  The primary VLAN is used to forward frames downstream to the Isolated VLANS.

 

For environments that house boarding students this is a great way to ensure malicious activity can’t be undertaken on the LAN side of the environment.  The diagram below depicts a sample of how isolated port traffic traverses the network.

Isolated VLANs.jpg

Initially a Primary VLAN needs to be created on the edge switch. In this example VLAN 110 is the Primary VLAN

 

3810(config)#vlan 110 private-vlan primary

 

A promiscuous port in the private VLAN on the edge switch is then required. This is where the isolated VLAN traffic will be sent out to the network.

 

38100(config)# interface 1 private-vlan promiscuous

Then add the promiscuous port to the primary VLAN.

 

2930(config)# vlan 110 tagged 1  

 

Create and Associate the secondary VLAN to the primary VLAN

 

2920(config)# vlan 110 private-vlan isolated 120

 

 

Add isolated edge ports (device connected ports) to the Private VLAN. In this case port 2. ArubaOS switches also support dynamic VLANs if you want to dynamically assign isolated VLANs to switch ports

 

2930(config)#vlan 120 untagged 2

 

 

ISL configuration (Between the 3810 and 2930)

 

Add the Private VLAN port member across both switches (ISL port), for example port 4.

 

3810(config)# no interface 4 private-vlan promiscuous

3810(eth-2)#vlan 110 tagged 4

 

2930(config)# no interface 4 private-vlan promiscuous

2930(eth-2)#vlan 110 tagged 4

 

Additional NOTES:

 

  1. Existing VLANS cannot be configured as Secondary VLANS.
  2. Community/Isolated ports must be untagged on 2920 switches. On other platforms (5400, 3800, 5400R and 3810), the access ports can be either untagged or tagged members.
  3. You Cannot create more than one isolated VLAN under a primary VLAN. If as per the above configuration, you need another Secondary Isolated VLAN, it will have to be associated with a Different Primary VLAN.   See the example below.

 

The configuration should look like this.

 

2930(config)#show run vlan 110

 

Running configuration:

 

vlan 110

   name "VLAN110"

   private-vlan primary

   private-vlan isolated 120

   tagged 4

   no ip address

   exit

 

vlan 120

   name "VLAN120"

   untagged 2

   no ip address

   exit

 

 

3810(config)#show run vlan 110

 

Running configuration:

 

vlan 110

   name "VLAN110"

   private-vlan primary

   private-vlan isolated 120

   tagged 4

   no ip address

   exit

 

vlan 120

   name "VLAN120"

      no ip address

   exit

 

 

The following commands can be used to verifying configuration:

 

2930(vlan-110)# show private-vlan promiscuous-ports

 

 

2930(config)#show vlans 120 private-vlan

 

Further information regarding the configuration of private VLANs can be found in the relevant advanced traffic management guide for the relevant switches below:

http://h20566.www2.hpe.com/portal/site/hpsc/?cc=au&lang=en-au&ac.admitted=1438571778305.125225703.1938120508