Education - Australia / New Zealand

last person joined: 17 hours ago 

A local community of Aruba education customers across Australia/NZ. This group will be moderated by Aruba staff and kept up to date with any upcoming training or events that are relevant to the EDU space.

Private VLANs

  • 1.  Private VLANs

    Posted Jul 31, 2017 08:37 PM

    Private VLANs are a great way to segregate existing VLANs into

    multiple sets of ports to isolate traffic.  Today I’m going to show how to configure Isolated VLANs within private VLANs so devices connected to switch ports cannot exchange traffic. Traffic coming into an isolated port can only go out through an Uplink to the Primary VLAN.  The primary VLAN is used to forward frames downstream to the Isolated VLANS.

     

    For environments that house boarding students this is a great way to ensure malicious activity can’t be undertaken on the LAN side of the environment.  The diagram below depicts a sample of how isolated port traffic traverses the network.

    Isolated VLANs.jpg

    Initially a Primary VLAN needs to be created on the edge switch. In this example VLAN 110 is the Primary VLAN

     

    3810(config)#vlan 110 private-vlan primary

     

    A promiscuous port in the private VLAN on the edge switch is then required. This is where the isolated VLAN traffic will be sent out to the network.

     

    38100(config)# interface 1 private-vlan promiscuous

    Then add the promiscuous port to the primary VLAN.

     

    2930(config)# vlan 110 tagged 1  

     

    Create and Associate the secondary VLAN to the primary VLAN

     

    2920(config)# vlan 110 private-vlan isolated 120

     

     

    Add isolated edge ports (device connected ports) to the Private VLAN. In this case port 2. ArubaOS switches also support dynamic VLANs if you want to dynamically assign isolated VLANs to switch ports

     

    2930(config)#vlan 120 untagged 2

     

     

    ISL configuration (Between the 3810 and 2930)

     

    Add the Private VLAN port member across both switches (ISL port), for example port 4.

     

    3810(config)# no interface 4 private-vlan promiscuous

    3810(eth-2)#vlan 110 tagged 4

     

    2930(config)# no interface 4 private-vlan promiscuous

    2930(eth-2)#vlan 110 tagged 4

     

    Additional NOTES:

     

    1. Existing VLANS cannot be configured as Secondary VLANS.
    2. Community/Isolated ports must be untagged on 2920 switches. On other platforms (5400, 3800, 5400R and 3810), the access ports can be either untagged or tagged members.
    3. You Cannot create more than one isolated VLAN under a primary VLAN. If as per the above configuration, you need another Secondary Isolated VLAN, it will have to be associated with a Different Primary VLAN.   See the example below.

     

    The configuration should look like this.

     

    2930(config)#show run vlan 110

     

    Running configuration:

     

    vlan 110

       name "VLAN110"

       private-vlan primary

       private-vlan isolated 120

       tagged 4

       no ip address

       exit

     

    vlan 120

       name "VLAN120"

       untagged 2

       no ip address

       exit

     

     

    3810(config)#show run vlan 110

     

    Running configuration:

     

    vlan 110

       name "VLAN110"

       private-vlan primary

       private-vlan isolated 120

       tagged 4

       no ip address

       exit

     

    vlan 120

       name "VLAN120"

          no ip address

       exit

     

     

    The following commands can be used to verifying configuration:

     

    2930(vlan-110)# show private-vlan promiscuous-ports

     

     

    2930(config)#show vlans 120 private-vlan

     

    Further information regarding the configuration of private VLANs can be found in the relevant advanced traffic management guide for the relevant switches below:

    http://h20566.www2.hpe.com/portal/site/hpsc/?cc=au&lang=en-au&ac.admitted=1438571778305.125225703.1938120508