Private VLANs are a great way to segregate existing VLANs into
multiple sets of ports to isolate traffic. Today I’m going to show how to configure Isolated VLANs within private VLANs so devices connected to switch ports cannot exchange traffic. Traffic coming into an isolated port can only go out through an Uplink to the Primary VLAN. The primary VLAN is used to forward frames downstream to the Isolated VLANS.
For environments that house boarding students this is a great way to ensure malicious activity can’t be undertaken on the LAN side of the environment. The diagram below depicts a sample of how isolated port traffic traverses the network.
Initially a Primary VLAN needs to be created on the edge switch. In this example VLAN 110 is the Primary VLAN
3810(config)#vlan 110 private-vlan primary
A promiscuous port in the private VLAN on the edge switch is then required. This is where the isolated VLAN traffic will be sent out to the network.
38100(config)# interface 1 private-vlan promiscuous
Then add the promiscuous port to the primary VLAN.
2930(config)# vlan 110 tagged 1
Create and Associate the secondary VLAN to the primary VLAN
2920(config)# vlan 110 private-vlan isolated 120
Add isolated edge ports (device connected ports) to the Private VLAN. In this case port 2. ArubaOS switches also support dynamic VLANs if you want to dynamically assign isolated VLANs to switch ports
2930(config)#vlan 120 untagged 2
ISL configuration (Between the 3810 and 2930)
Add the Private VLAN port member across both switches (ISL port), for example port 4.
3810(config)# no interface 4 private-vlan promiscuous
3810(eth-2)#vlan 110 tagged 4
2930(config)# no interface 4 private-vlan promiscuous
2930(eth-2)#vlan 110 tagged 4
The configuration should look like this.
2930(config)#show run vlan 110
private-vlan isolated 120
no ip address
3810(config)#show run vlan 110
no ip address
The following commands can be used to verifying configuration:
2930(vlan-110)# show private-vlan promiscuous-ports
2930(config)#show vlans 120 private-vlan
Further information regarding the configuration of private VLANs can be found in the relevant advanced traffic management guide for the relevant switches below:
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.