12-02-2011 02:29 PM - edited 03-07-2019 03:42 AM
I am working on putting together a better Guest network that is as isolated as possible from the existing network in my company without putting in totally separate equipment. I have been researching the Private VLAN configuration and am currently building a configuration to implement that. The question I have run into is the one statement I keep seeing over and over again which is there can only be one Primary VLAN in this configuration. Why ?
The reason I ask is that in working up this configuration for the Guest network, I can see a good reason to use this on the server vlan that is in the DMZ on my network. While I would prefer not to have to install a separate switch in a separate VTP domain, if that is what I need to do, I will probably end up doing that. My reason here is that if one server were to get compromised in the DMZ, that I have a reasonable change in preventing that compromised server being a jump point to infecting/compromising other servers in the DMZ. I know that my firewall will do the best it can to keep from the problem occuring but it can only go so far. Getting an IPS module would be ideal but that isnt in the budget for the next year. If it was, I dont know that I would buy the IPS module for my ASA. I had 4 modules fail over a 2 year period, so using the IPS module wouldnt be my first choice. That leaves me with an external IPS sensor which whether I go with a commerical unit or build an open source one using Snort, either option isnt open to me due to budgetary constraints I am have to deal with.
Again, why the limit on only having one Primary VLAN on a Private Vlan configuration ? Just want to understand the limitation.
Thanks,
Ron
12-03-2011 04:26 AM
The Primary VLAN is the main vlan that you configure when you are doing Private Vlans. Basically it is in charge of forwarding frames downstream to secondary private vlans such as "isolated and community". Private VLANs have the main vlan which is Primary and and three other types of ports called Promiscuous, Isolated, and Community.
Promiscuous -> This is usually connected to a router, and can have communication with all ports.
Isolated -> This type of port can only talk to Promiscuous ports and not Community, and not even to other Isolated ports.
Community -> This type of ports can only communicate with ports in the same community and Promiscuous ports.
12-03-2011 06:42 AM
Ron,
In addition to John's response, please try to have a look at http://tools.ietf.org/html/rfc5517 - it describes how the entire concept of Private VLANs works on Cisco switches. This RFC is not about a protocol, rather an open description of how Cisco implements the PVLAN functionality. This may help you understand the limitation for a single primary VLAN in a Private VLAN bundle - although it is not a limitation at all.
Please understand one more fact: the Private VLAN is a set of associated VLANs. This set always has a primary VLAN (the one that represents the entire network to the outside and that is responsible for carrying the data from promisc ports to every member port) and a number of secondary VLANs. You can have many Private VLANs, each of them having its own primary VLAN. Or in other words, any VLAN you currently have can become a primary VLAN within a set of private VLANs, and under it, several new secondary VLANs may be created and associated.
Best regards,
Peter
12-06-2011 10:21 AM
Thought everyone would like to know this little tidbit. I had an email conversation with Marco Foschiano at Cisco, one of the authors of RFC5517. Here is the statement from him about multiple primary vlans on the same vtp domain -
"There can be multiple primary vlans in a VTP domain. I am not aware of any restrictions, if VTPv3 is used."
I will be rereading the VTP v3 docs that I have because I dont remember seeing this item in what I have read. Thought there were others who would like to know about this.
Ron
12-06-2011 01:55 PM
Hello Ron,
Thank you for letting us know!
Personally, I do not see anything wrong with having multiple primary VLANs in a VTP domain, and I have never assumed that there is any specific limitation as to their count.
If we say "PVLAN", we actually mean a system - a set of VLANs that has exactly one primary VLAN, an arbitrary number of secondary community VLANs and at most one isolated community VLAN. You can safely have multiple PVLANs, i.e. these systems of primary and secondary VLANs, as long as these PVLANs are completely disjoint - no VLAN from one PVLAN set is used in the other PVLAN set. There will be as many primary VLANs as how many PVLANs exist.
Moreover, VTP has little to do with PVLANs. VTPv3 is capable of properly propagating the numbers, types and associations of all VLANs in a PVLAN. With older VTP versions, the recommendation was to use VTP Transparent mode (I believe that the PVLANs could not even be configured without VTPv1/2 Transparent mode).
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide