Introduction
A Private VLAN is a layer-2 network structure which an extension of the common VLAN. Within a Private VLAN domain there are three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint’s ability to communicate with other endpoints connected to ports within the Private VLAN. The three port designations are promiscuous, isolated, and community. Regardless of the combination of isolated, community, and promiscuous ports used within a Private VLAN, it is still one layer 2 domain and therefore only requires one IP subnet. The addressing model now changes whereby instead of allocating an individual subnet to each customer, a range of addresses from one or two common large IP networks is assigned. By allocating addressing from one or two common larger IP networks, the address waste is reduced.
Private VLAN Ports
There are following three type of port roles in PVLAN:
Promiscuous—: A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated—: An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community:— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Scenario
Devices originating management traffic and backup traffic will be part of PVLAN. There is a separate vrf named: management-vrf will be created to contain the pvlan traffic. In this document, we will make use of the PVLAN concept to restrict the traffic between two servers which is configured with same IP subnet. The servers L02 & L01 will be part of primary VLAN 130 and secondary VLAN 75. Port connecting to the Remote Access VPN ( ASA5548) is configured as promiscuous port and the two mentioned servers will be able to talk to the Remote Access VPN server. To demonstrate the routing capability, an SVI interface is configured on the S1-VDC for VLAN 130 and static route is used for, routing server originated traffic to other IP subnets.
Note: You must enable private vlan feature before you can configure this. You cannot disable private VLANs if the device has any operational ports in a private VLAN mode. Each VDC supports up to 4096 VLANs.
Configuration
S1-VDC#
feature private-vlan
vlan 75
private-vlan isolated
vlan 130
name RAVPN-OUTSIDE
private-vlan primary
private-vlan association 75
vrf context Tier1-mgmt
ip route 172.16.1.8/29 172.16.1.2
interface Vlan60
no shutdown
vrf member Tier1-mgmt
ip address 172.16.1.1/29
interface Vlan130
no shutdown
private-vlan mapping 75
vrf member Tier1-mgmt
ip address 10.54.30.1/28
interface Ethernet2/1
switchport
switchport mode private-vlan promiscuous
switchport access vlan 130
switchport private-vlan mapping 130 75
no shutdown
interface Ethernet2/9
switchport
switchport mode private-vlan host
switchport private-vlan host-association 130 75
no shutdown
interface Ethernet2/10
switchport
switchport mode private-vlan host
switchport private-vlan host-association 130 75
no shutdown
Related Information
Single-sided vs double-sided vPC
Configuring ACS 5.x to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 switch via TACACS
