cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

PVLAN Implementation in Nexus for Traffic Management

1839
Views
0
Helpful
0
Comments

 

 

Introduction

A Private VLAN is a layer-2 network structure which an extension of the common VLAN. Within a Private VLAN domain there are  three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint’s ability to communicate with other endpoints connected to ports within the Private VLAN. The three port designations are promiscuous, isolated, and community. Regardless of the combination of isolated, community, and promiscuous ports used within a Private VLAN, it is still one layer 2 domain and therefore only requires one IP subnet. The addressing model now changes whereby instead of allocating an individual subnet to each customer, a range of addresses from one or two common large IP networks is assigned. By allocating addressing from one or two common larger IP networks, the address waste is reduced.

 

Private VLAN Ports

There are following three type of port roles in PVLAN:

Promiscuous—: A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.


Isolated—: An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.


Community:— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

 

Scenario

 

Devices originating management traffic and backup traffic will be part of PVLAN. There is a separate vrf named: management-vrf will be created to contain the pvlan traffic. In this document, we will make use of the PVLAN concept to restrict the traffic between two servers which is configured with same IP subnet.  The servers L02 & L01 will be part of primary VLAN 130 and secondary VLAN 75. Port connecting to the Remote Access VPN ( ASA5548) is configured as promiscuous port and the two mentioned servers will be able to talk to the Remote Access VPN server. To demonstrate the routing capability, an SVI interface is configured on the S1-VDC for VLAN 130 and static route is used for, routing server originated traffic to other IP subnets.

Note: You must enable private vlan feature before you can configure this. You cannot disable private VLANs if the device has any operational ports in a private VLAN mode. Each VDC supports up to 4096 VLANs.

 

 

Configuration

 

 

S1-VDC#

feature private-vlan

vlan 75

private-vlan isolated

vlan 130

name RAVPN-OUTSIDE

private-vlan primary

private-vlan association 75

 

vrf context Tier1-mgmt

  ip route 172.16.1.8/29 172.16.1.2

 

interface Vlan60

  no shutdown

  vrf member Tier1-mgmt

  ip address 172.16.1.1/29

 

interface Vlan130

  no shutdown

  private-vlan mapping 75

  vrf member Tier1-mgmt

  ip address 10.54.30.1/28

 

interface Ethernet2/1

  switchport

  switchport mode private-vlan promiscuous

  switchport access vlan 130

  switchport private-vlan mapping 130 75

  no shutdown

 

interface Ethernet2/9

  switchport

  switchport mode private-vlan host

  switchport private-vlan host-association 130 75

  no shutdown

 

interface Ethernet2/10

  switchport

  switchport mode private-vlan host

  switchport private-vlan host-association 130 75

  no shutdown

 

 

Related Information

 

Single-sided vs double-sided vPC

Configuring ACS 5.x to authenticate Role Based Access Control (RBAC) users on a Nexus 5000 switch via TACACS

Content for Community-Ad