"As a network engineer, you have a powerful and valuable tool at your disposal - Private VLANs (PVLANs) in Cisco switches. With PVLANs, you can enhance the security and efficiency of your network by dividing traditional VLANs into primary, secondary, and isolated ports.
When implementing PVLANs, you gain greater control over how devices communicate within VLANs. You can designate specific ports as primary, secondary, or isolated, allowing for a more granular and secure network environment.
One of the main and important benefits of PVLANs is that the devices within the same VLANs can be isolated and preventing them not to communicate with each other. This isolation boosts network security, safeguarding sensitive or critical devices from potential threats.
Moreover, PVLANs empower you to specify which ports devices can use to communicate. By designating certain ports as the only means of communication between devices, you optimize network resources and reduce unnecessary traffic.
Especially in large-scale Ethernet environments with multiple interconnected switches, PVLANs become an essential tool for maintaining a secure and efficient network infrastructure.
In order to understand the concept of private VLANs better, I take a small scenario of three Cisco Switches connected to each other via a link and here we'll understand on how to implement private VLANs which allows isolations within the same VLANs and other communications between primary and secondary VLANs.
Scenario Overview:
Let's consider a scenario in which a company has three Cisco switches connected to each other. The goal is to configure Private VLANs to enhance security and restrict communication between certain devices within the VLANs.
Topology Diagram:
VLAN Configuration:
First, we need to configure the VLANs on each Cisco switch. Assume we have the following VLANs:
VLAN 10: Servers VLAN (Primary VLAN)
VLAN 20: IoT Devices VLAN (Secondary VLAN)
VLAN 30: Guest Devices VLAN (Secondary VLAN)
PVLAN Communication:
In this scenario, the Private VLANs are configured as follows:
Communication between isolated ports (e.g., GigabitEthernet1/0/4 on Switch A, GigabitEthernet1/0/4 on Switch B, and GigabitEthernet1/0/4 on Switch C) is blocked. This isolation enhances security and prevents direct communication between end-user devices.
Communication between isolated ports and the promiscuous port (GigabitEthernet1/0/3 on all switches) is allowed. This enables connectivity to the resources in the primary VLAN (VLAN 10), such as servers and gateways.
Communication between devices in the secondary VLANs (VLAN 20 and VLAN 30) is blocked. Secondary VLANs operate in isolation from each other.
Communication between devices within the same secondary VLAN (e.g., between two IoT devices in VLAN 20 on Switch A) is allowed, as long as they are connected to the promiscuous port (GigabitEthernet1/0/3).
Private VLAN Configuration:
Next, we'll set up the Private VLANs on each switch to enhance security and restrict communication.
Switch A Configuration:
# Create primary VLAN 10
vlan 10
name Servers_VLAN
# Create secondary VLAN 20 and associate it with primary VLAN 10
vlan 20
name IoT_VLAN
private-vlan primary 10
# Create secondary VLAN 30 and associate it with primary VLAN 10
vlan 30
name Guest_VLAN
private-vlan primary 10
# Configure interfaces as trunk ports to connect to Switch B and Switch C
interface GigabitEthernet1/0/1
switchport mode trunk
interface GigabitEthernet1/0/2
switchport mode trunk
Switch B Configuration:
# Create primary VLAN 10
vlan 10
name Servers_VLAN
# Create secondary VLAN 20 and associate it with primary VLAN 10
vlan 20
name IoT_VLAN
private-vlan primary 10
# Create secondary VLAN 30 and associate it with primary VLAN 10
vlan 30
name Guest_VLAN
private-vlan primary 10
# Configure interfaces as trunk ports to connect to Switch A and Switch C
interface GigabitEthernet1/0/1
switchport mode trunk
interface GigabitEthernet1/0/2
switchport mode trunk
Switch C Configuration:
# Create primary VLAN 10
vlan 10
name Servers_VLAN
# Create secondary VLAN 20 and associate it with primary VLAN 10
vlan 20
name IoT_VLAN
private-vlan primary 10
# Create secondary VLAN 30 and associate it with primary VLAN 10
vlan 30
name Guest_VLAN
private-vlan primary 10
# Configure interfaces as trunk ports to connect to Switch A and Switch B
interface GigabitEthernet1/0/1
switchport mode trunk
interface GigabitEthernet1/0/2
switchport mode trunk
PVLAN Configuration on Switch A:
Now, we'll configure the Private VLANs on Switch A to enhance security.
# Configure interface GigabitEthernet1/0/3 as a promiscuous port for primary VLAN 10
interface GigabitEthernet1/0/3
switchport mode private-vlan promiscuous
switchport private-vlan mapping 10 20,30
# Configure interface GigabitEthernet1/0/4 as an isolated port for secondary VLAN 20
interface GigabitEthernet1/0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 20
# Configure interface GigabitEthernet1/0/5 as an isolated port for secondary VLAN 30
interface GigabitEthernet1/0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 30
PVLAN Configuration on Switch B:
# Configure interface GigabitEthernet1/0/3 as a promiscuous port for primary VLAN 10
interface GigabitEthernet1/0/3
switchport mode private-vlan promiscuous
switchport private-vlan mapping 10 20,30
# Configure interface GigabitEthernet1/0/4 as an isolated port for secondary VLAN 20
interface GigabitEthernet1/0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 20
# Configure interface GigabitEthernet1/0/5 as an isolated port for secondary VLAN 30
interface GigabitEthernet1/0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 30
PVLAN Configuration on Switch C:
# Configure interface GigabitEthernet1/0/3 as a promiscuous port for primary VLAN 10
interface GigabitEthernet1/0/3
switchport mode private-vlan promiscuous
switchport private-vlan mapping 10 20,30
# Configure interface GigabitEthernet1/0/4 as an isolated port for secondary VLAN 20
interface GigabitEthernet1/0/4
switchport mode private-vlan host
switchport private-vlan host-association 10 20
# Configure interface GigabitEthernet1/0/5 as an isolated port for secondary VLAN 30
interface GigabitEthernet1/0/5
switchport mode private-vlan host
switchport private-vlan host-association 10 30
Conclusion:
Private VLANs (PVLANs) offer network engineers a powerful tool to enhance security and optimize network resources in large-scale Ethernet environments. By segmenting traditional VLANs into primary, secondary, and isolated ports, PVLANs provide granular control over communication within VLANs. In the example scenario with three interconnected Cisco switches, we configured PVLANs to enhance security, restricting communication between certain devices and allowing communication only through designated ports. By implementing PVLANs, organizations can achieve improved network security and better utilize network resources in multi-switch environments.
He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...
More... | Author`s Bog | Book a Meeting
hey Deepak, can you also please write an article on configuring private vlans on nexus switches. I appreciate your efforts, I read all your articles.