Education - Australia / New Zealand

 View Only
  • 1.  Private VLANs

    Posted Jul 31, 2017 08:37 PM

    Private VLANs are a great way to segregate existing VLANs into

    multiple sets of ports to isolate traffic.  Today I’m going to show how to configure Isolated VLANs within private VLANs so devices connected to switch ports cannot exchange traffic. Traffic coming into an isolated port can only go out through an Uplink to the Primary VLAN.  The primary VLAN is used to forward frames downstream to the Isolated VLANS.

     

    For environments that house boarding students this is a great way to ensure malicious activity can’t be undertaken on the LAN side of the environment.  The diagram below depicts a sample of how isolated port traffic traverses the network.

    Isolated VLANs.jpg

    Initially a Primary VLAN needs to be created on the edge switch. In this example VLAN 110 is the Primary VLAN

     

    3810(config)#vlan 110 private-vlan primary

     

    A promiscuous port in the private VLAN on the edge switch is then required. This is where the isolated VLAN traffic will be sent out to the network.

     

    38100(config)# interface 1 private-vlan promiscuous

    Then add the promiscuous port to the primary VLAN.

     

    2930(config)# vlan 110 tagged 1  

     

    Create and Associate the secondary VLAN to the primary VLAN

     

    2920(config)# vlan 110 private-vlan isolated 120

     

     

    Add isolated edge ports (device connected ports) to the Private VLAN. In this case port 2. ArubaOS switches also support dynamic VLANs if you want to dynamically assign isolated VLANs to switch ports

     

    2930(config)#vlan 120 untagged 2

     

     

    ISL configuration (Between the 3810 and 2930)

     

    Add the Private VLAN port member across both switches (ISL port), for example port 4.

     

    3810(config)# no interface 4 private-vlan promiscuous

    3810(eth-2)#vlan 110 tagged 4

     

    2930(config)# no interface 4 private-vlan promiscuous

    2930(eth-2)#vlan 110 tagged 4

     

    Additional NOTES:

     

    1. Existing VLANS cannot be configured as Secondary VLANS.
    2. Community/Isolated ports must be untagged on 2920 switches. On other platforms (5400, 3800, 5400R and 3810), the access ports can be either untagged or tagged members.
    3. You Cannot create more than one isolated VLAN under a primary VLAN. If as per the above configuration, you need another Secondary Isolated VLAN, it will have to be associated with a Different Primary VLAN.   See the example below.

     

    The configuration should look like this.

     

    2930(config)#show run vlan 110

     

    Running configuration:

     

    vlan 110

       name "VLAN110"

       private-vlan primary

       private-vlan isolated 120

       tagged 4

       no ip address

       exit

     

    vlan 120

       name "VLAN120"

       untagged 2

       no ip address

       exit

     

     

    3810(config)#show run vlan 110

     

    Running configuration:

     

    vlan 110

       name "VLAN110"

       private-vlan primary

       private-vlan isolated 120

       tagged 4

       no ip address

       exit

     

    vlan 120

       name "VLAN120"

          no ip address

       exit

     

     

    The following commands can be used to verifying configuration:

     

    2930(vlan-110)# show private-vlan promiscuous-ports

     

     

    2930(config)#show vlans 120 private-vlan

     

    Further information regarding the configuration of private VLANs can be found in the relevant advanced traffic management guide for the relevant switches below:

    http://h20566.www2.hpe.com/portal/site/hpsc/?cc=au&lang=en-au&ac.admitted=1438571778305.125225703.1938120508

     

     



  • 2.  RE: Private VLANs

    Posted Feb 23, 2021 02:12 PM
    I'm sorry, but I can't follow this article... switch numbers are with mistakes. I'm lost and don't know where and what to configure...
    I did my best, but I'm getting error:

    vlan 110 private-vlan isolated 120

    Cannot associate an already existing VLAN(s) as secondary to the primary VLAN

    ------------------------------
    Aleks YM
    ------------------------------



  • 3.  RE: Private VLANs

    Posted Mar 24, 2021 12:55 PM
    Hi Aleks,

    You may have solved this. In case you have not. Vlan 120 should not be created before running this command. Remove vlan 120 (no vlan 120) then run the command and it will create the vlan for you.


    ------------------------------
    Matthew Power
    ------------------------------