- 2 Protected port on switch in the same vlan cannot exchange l2 frame with each other
- used to prevent devices on same vlan from communicating at layer 2
- Both port must be on the same switch for this feature to work
- You will still recieve traffic from unkown unicast and multicast
int fa0/1
switchport protected
sh switchport protected
Private Vlans
- can work across multiple switches
- sub vlans are community or isolated
- promiscious ports can speak to all usually layer 3 interface
- community can speak to all ports in its own community and promiscious port
- isolated can only speak to promiscious port
- urpf will not work with pvlans
- the vtp mode on switches for pvlan must be transparent
- cannot include vlan 1 or 1002-1005
- does not work with etherchannel if both are configured on port pvlan superside etherchannel
- You can use span destination ports in pvlans span supersides pvlan
- you can use span source port in pvlans
- enable portfast + bpduguard on pvlan to prevent loops from misconfig
- qos is supported
- acl should not be applied to isolated or community
- dynamic acl should not be applied to primary vlan
- same config is required on all switches
- vtp v3 supports but not vtpv1 or vtpv2
Commands
vtp mode transparent
vlan 112
primary-vlan primary
private-vlan association 113 114
vlan 113
private-vlan community
vlan 114
private-vlan isolated
int fa0/1
switchport mode private-vlan promiscious
switchport private-vlan mapping 112 add 113,114,115
int fa0/5
switchport mode private-vlan host
switchport private vlan host 112 113 - so primary 112 and subvlan 112
sh vlan private-vlan
LAB
----
---------------
so i am configuring all the ports on s1 in the same vlan
s1(config)#int fa0/1
s1(config-if)#switchport access vlan 112
% Access VLAN does not exist. Creating vlan 112
s1(config-if)#int fa0/3
s1(config-if)#switchport access vlan 112
Command rejected: Fa0/3 not a switching port.
s1(config-if)#int fa0/5
s1(config-if)#switchport access vlan 112
s1(config-if)#
All the routers connecting in will go in 10.229.254.0/24 subnet
r1(config)#int fa0/0
r1(config-if)#ip address 10.229.254.1 255.255.255.0
r1(config-if)#
r3(config)#int fa0/0
r3(config-if)#ip address 10.229.254.3 255.255.255.0
r3(config-if)#no shut
r5(config)#int fa0/0
r5(config-if)#ip address 10.229.254.5 255.255.255.0
ok so we will have r1 r3 not able to communicate with each other but a;; communicate with r5
s1(config)#int fa0/1
s1(config-if)#switchport protected
s1(config-if)#int fa0/3
s1(config-if)#switchport protected
From R1
--------
r1#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#
FROM R3
--------
r3#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r3#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#
From R5
--------
r5#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#
Private VLAN
-------------
I will take the protected port of but we will keep the new address all in vlan 112 i will also do this to the routers connected to sw2 r2,r4,r6
10.229.254.2 and 10.229.254.4 and 10.229.254.6 all in vlan 112
routers
--------
r2(config)#int fa0/0
r2(config-if)#ip address 10.229.254.2 255.255.255.0
r2(config-if)#
r4(config)#int fa0/0
r4(config-if)#ip address 10.229.254.4 255.255.255.0
r4(config-if)#
r6(config)#int fa0/0
r6(config-if)#ip address 10.229.254.6 255.255.255.0
r6(config-if)#
switch 2
---------
s2(config)#int fa0/2
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
s2(config-if)#int fa0/4
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
s2(config-if)#int f0/6
s2(config-if)#switchport mode access
s2(config-if)#switchport access vlan 112
ok as per lab diagram r1 is going promicious will able to connect to everyone r3 + r2 will able to connect to each other and r1 r5 and r4 will able to
connect to each other and r1
r6 will only able to connect to r1 they will all be in the same main vlan
We will start the config on s1
first things first put the vtp mode to transparent
s1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
create the vlans
s1(config)#vlan 112
s1(config-vlan)#private-vlan primary
s1(config-vlan)#vlan 113
s1(config-vlan)#private-vlan community
s1(config-vlan)#vlan 114
s1(config-vlan)#private-vlan community
s1(config-vlan)#vlan 115
s1(config-vlan)#private-vlan isolated
s1(config-vlan)#
s1(config)#vlan 112
s1(config-vlan)#private-vlan association 113,114,115
this same config needs to be put on s2
S2
---
s2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
s2(config)#vlan 112
s2(config-vlan)# private-vlan primary
s2(config-vlan)# private-vlan association 113-115
s2(config-vlan)#!
s2(config-vlan)#vlan 113
s2(config-vlan)# private-vlan community
s2(config-vlan)#!
s2(config-vlan)#vlan 114
s2(config-vlan)# private-vlan community
s2(config-vlan)#!
s2(config-vlan)#vlan 115
s2(config-vlan)# private-vlan isolated
s1
---
we will start with inteface fa0/1 setting as the promiscious port
s1(config)#int fa0/1
s1(config-if)#switchport mode private-vlan promiscuous
s1(config-if)#switchport private-vlan mapping 112 add 113,114,115
now on to the community ports
so for r3 in community vlan 113
s1(config-if)#int fa0/3
s1(config-if)#switchport mode private-vlan host
s1(config-if)#switchport private-vlan host 112 113
for r5 in community vlan 114
s1(config)#int fa0/5
s1(config-if)#switchport mode private-vlan host
s1(config-if)#switchport private-vlan host 112 114
S2
---
for r2 in community vlan 113
s2(config)#int fa0/2
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 113
for r4 in private vlan 114
s2(config)#int fa0/4
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 114
for r6 who is in the isolated vlan
s2(config)#int fa0/6
s2(config-if)#switchport mode private-vlan host
s2(config-if)#switchport private-vlan host 112 115
ok lets test the config
r1
---
r1#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/4 ms
r1#ping 10.229.254.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
r1#
can ping everything
r5
---
r5#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r5#ping 10.229.254.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
r5#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r5#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r5#
it can ping it fellow community member r4 and the promiscious port but not memeber from other communties or isolated group
r6
---
r6#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r6#ping 10.229.254.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r6#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
..
can only ping r1 which is what was expected
say i decided r4 should not be in community but be isolated
s2(config-if)#switchport private-vlan host 112 115
s2(config-if)#exit
s2(config)#do sh run int fa0/4
Building configuration...
Current configuration : 146 bytes
!
interface FastEthernet0/4
switchport access vlan 112
switchport private-vlan host-association 112 115
switchport mode private-vlan host
end
s2(config)#
it is using the same vlan id as r6 115
r4#ping 10.229.254.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r4#ping 10.229.254.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r4#ping 10.229.254.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.229.254.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
it can not ping it ex community member it can ping the promicious port
it cannot ping r6 even though they are in the same secondary vlan meaning we can use the
same secondary isolated vlan over and over
No comments:
Post a Comment