Solved: private vlans ( primary vlan on diiferent switches)

sarahr202 · ‎07-21-2012

Hi everybody

Consider the following scenario

h1------sw1---trunk-----sw2--------rest of network

|

h2

vtp is on, sw1 vtp server,sw2 vtp client.

We want to use stop traffic from h1 to h2 using private vlans. We want to configure vlan 2 as primary vlan as shown below:

vlan 2

private-vlan primary

One of the videos I was watching says the above command will be rejected, because we must configure sw1 in vtp transparent mode first.

1)Is that correct?

===============================================

Can we bypass this limitation as described below:

Let say we configure vlan 2 on sw1 and let vtp advertises it to sw3. Now both switches have vlan 2.

Next we configure sw1 as vtp transparent mode and configure the following commands:

vlan 2

private-vlan primary

Next we configure sw2 as transparent and configures the same above command.

2) Now we have vlan 2 on both switches sw1 and sw2, configured as primary vlan. Can we do that ?

=============================================

Is it possible to stop traffic between two hosts located on different switches using private vlans ?

h1------ f1/1-sw1----trunk------sw2------rest of network

| f1/2

h2

Let say we have vlan 2 configured on sw1 and sw2. We will use vlan 2 as primary vlan .

If we configure sw1 f1/1 as isolated port and sw2 as f1/2 as isolated port, while using vlan 2 as primary vlan, can we stop the traffic between h1 and h2 considering they are located on different switches ?

thanks and have a great weekend.

Reza Sharifi · ‎07-21-2012

Hi Sarah,

When configuring private vlans the mode has to be transparent.

Rules and Limitations

This section provides some rules and limitations for which you must watch when you implement PVLANs. For a more complete list, refer to the Private VLAN Configuration Guidelines section of the document Configuring VLANs.

PVLANs cannot include VLANs 1 or 1002–1005.
You must set VLAN Trunk Protocol (VTP) mode to transparent.

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Regarding the limitation, here is what happens if you put the switch in transparent mode, configure private vlan and than try to put the switch in server mode:

This switch is configured with private vlan and it is currently in tranparent mode

Switch(config)#vtp mode server

VTP mode cannot be set to server because there are private vlans configured on this device.

Switch(config)#

HTH

View solution in original post

Peter Paluch · ‎07-22-2012

Hello Sarah and Reza,

Just to add to Reza's answer, if running VTPv3 in the entire switched network, you may safely leave switches in VTP Server or Client mode. The reason VTPv1/VTPv2 had to be effectively deactivated by putting switches into Transparent mode was that these older VTP versions were unable to carry information about Private VLANs, in particular about the PVLAN types (primary, secondary community, secondary isolated) and their mutual association (which secondary PVLANs are associated with particular primary PVLAN). However, with VTPv3, this functionality has been added, and thus you can use VTPv3 and PVLANs together safely.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎07-22-2012

Hi Sarah,

The pleasure of meeting you here again is all mine. Yes, I have been kind of busy in the last months. Now I have a couple of weeks free and I am trying to catch up here on CSC again.

Regarding your question:

Since we are using vtp v2, therefore we must configure private vlans manually on each switch in the path from h1 to h2.

Correct.

Let assume we have already configured vlan 100 as primary and vlan 101 as isolated on sw1 and sw3 but not on sw3.

There seems to be a typo - I assume you wanted to say: "... on sw1 and sw2 but not on sw3".

My question is when we configure primary vlan 100 and isolated vlan 101  on sw3 , do we need to associate isolated vlan 101 with primary vlan 100  i.e:

Yes, you need to do that. Traffic received on promisc host ports is tagged with the primary PVLAN ID on trunks. If a switch receives a frame tagged with primary PVLAN, it immediately knows that this frame can be forwarded to any port in any associated secondary PVLAN if the destination MAC address points out such interface. It also goes the other way around: a frame tagged with any secondary PVLAN can be sent out any promisc interface that is associated with the corresponding primary PVLAN and the particular secondary PVLAN (as this mapping can be made more restrictive directly on the promisc port).

If your isolated PVLAN 101 was not associated with the primary PVLAN 100 then traffic received on promisc ports would not be allowed to be forwarded out through any port in the PVLAN 101. Hence, stations in secondary isolated PVLAN 101 would not be capable of communicating with devices placed on promisc ports.

Best regards,

Peter

View solution in original post

Reza Sharifi · ‎07-21-2012

Hi Sarah,

When configuring private vlans the mode has to be transparent.

Rules and Limitations

This section provides some rules and limitations for which you must watch when you implement PVLANs. For a more complete list, refer to the Private VLAN Configuration Guidelines section of the document Configuring VLANs.

PVLANs cannot include VLANs 1 or 1002–1005.
You must set VLAN Trunk Protocol (VTP) mode to transparent.

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Regarding the limitation, here is what happens if you put the switch in transparent mode, configure private vlan and than try to put the switch in server mode:

This switch is configured with private vlan and it is currently in tranparent mode

Switch(config)#vtp mode server

VTP mode cannot be set to server because there are private vlans configured on this device.

Switch(config)#

HTH

sarahr202 · ‎07-21-2012

Thanks Reza.

great link, ansewered all my questions.

Peter Paluch · ‎07-22-2012

Hello Sarah and Reza,

Just to add to Reza's answer, if running VTPv3 in the entire switched network, you may safely leave switches in VTP Server or Client mode. The reason VTPv1/VTPv2 had to be effectively deactivated by putting switches into Transparent mode was that these older VTP versions were unable to carry information about Private VLANs, in particular about the PVLAN types (primary, secondary community, secondary isolated) and their mutual association (which secondary PVLANs are associated with particular primary PVLAN). However, with VTPv3, this functionality has been added, and thus you can use VTPv3 and PVLANs together safely.

Best regards,

Peter

sarahr202 · ‎07-22-2012

Thanks Peter. Long time no see. How have you been ?

sarahr202 · ‎07-22-2012

Hi Peter

Just a quick question.

h1------------------sw1--------------------sw2----------------------sw3----------h2

We want to restrict communication from h1 to h2. We want to use private vlans.

Since we are using vtp v2, therefore we must configure private vlans manually on each switch in the path from h1 to h2.

Let assume we have already configured vlan 100 as primary and vlan 101 as isolated on sw1 and sw3 but not on sw3.

My question is when we configure primary vlan 100 and isolated vlan 101 on sw3 , do we need to associate isolated vlan 101 with primary vlan 100 i.e:

vlan 100
  name primary_for_101
   private-vlan primary
   private-vlan association 101 !
 vlan 101
  name isolated_under_100
   private-vlan isolated

thanks.

Peter Paluch · ‎07-22-2012

Hi Sarah,

The pleasure of meeting you here again is all mine. Yes, I have been kind of busy in the last months. Now I have a couple of weeks free and I am trying to catch up here on CSC again.

Regarding your question:

Since we are using vtp v2, therefore we must configure private vlans manually on each switch in the path from h1 to h2.

Correct.

Let assume we have already configured vlan 100 as primary and vlan 101 as isolated on sw1 and sw3 but not on sw3.

There seems to be a typo - I assume you wanted to say: "... on sw1 and sw2 but not on sw3".

My question is when we configure primary vlan 100 and isolated vlan 101  on sw3 , do we need to associate isolated vlan 101 with primary vlan 100  i.e:

Yes, you need to do that. Traffic received on promisc host ports is tagged with the primary PVLAN ID on trunks. If a switch receives a frame tagged with primary PVLAN, it immediately knows that this frame can be forwarded to any port in any associated secondary PVLAN if the destination MAC address points out such interface. It also goes the other way around: a frame tagged with any secondary PVLAN can be sent out any promisc interface that is associated with the corresponding primary PVLAN and the particular secondary PVLAN (as this mapping can be made more restrictive directly on the promisc port).

If your isolated PVLAN 101 was not associated with the primary PVLAN 100 then traffic received on promisc ports would not be allowed to be forwarded out through any port in the PVLAN 101. Hence, stations in secondary isolated PVLAN 101 would not be capable of communicating with devices placed on promisc ports.

Best regards,

Peter

sarahr202 · ‎07-22-2012

Thanks Peter.

I apologize for the typo

I wanted to say

My question is when we configure primary vlan 100 and isolated vlan 101 on sw2 , do we need to associate isolated vlan 101 with primary vlan 100 using:

vlan 100 
 name primary_for_101  
 private-vlan primary  
 private-vlan association 101 !

Thanks and have a great evening.