Private Vlan routing

ronanohart · ‎09-10-2015

I have been configuring private Vlans in my test lab to achieve what I have outline blow but with limited to no success

Challenge

I am trying to segment the LAN of an existing network without having to renumber the clients in the LAN

Clients on ports 1-10 need to be separated/segmented from clients on ports 16-20 but keep their current IP address from the same subnet

The clients need to be able to communicate with each other (only via the router)

By implementing private vlans I have been able to get clients in each community vlan to communicate with the IP address Layer 3 vlan 100 on the router but not client to client

vlan 100
private-vlan primary
private-vlan association 200,300

vlan 200
private-vlan community
!
vlan 300
private-vlan community

interface Vlan100
ip address 192.168.1.1 255.255.255.0

Topology

Router (800 or 1900 series ) wit Cat 3560 connected on the LAN

Router is default gateway

vlan 100 - primary vlan

vlan 200 - community (ports 1-10)

vlan 300 - community (ports 16-20)

Cat uplink to router on gig 0/24

Any suggestions on where I need to go next, are private vlans the right solution here or should I look elsewhere

Thanks in advance

InayathUlla Sharieff · ‎09-10-2015

The clients need to be able to communicate with each other (only via the router)

Answer:- You cant achieve this with the config which you have configured. Community vlans will only be able to communicate between each other and promiscous port.

Understanding Primary, Isolated, and Community Private VLANs

Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:

Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.
Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN

Please have a look at the below link which will give you the info:-

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html#pgfId-1182268

HTH

Regards

Inayath

****Please do not forget to rate the post if helpfull.

ronanohart · ‎09-11-2015

Thanks Inayath

This is what I had come to the conclusion of from testing

Do you have any suggestions of an architecture that will achieve what I am trying to do?

Segmentation of devices on the lan, al keep the same subnet ips but can only communicate via the router?

Thanks

Ronan

paul driver · ‎09-11-2015

Hello

The primary vlan 100 needs to have the ip addressing of both community vlans.

Example:
vlan 200 - 22.22.22.0/24
vlan 300 - 33.33.33.0/24

int vlan 100
ip address 22.22.22.254 255.255.255.0
ip address 33.33.33.254 255.255.255.0 secondary
private-vlan mapping 200,300

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul