Cisco Connected Grid Ethernet Switch Module Interface Card Software Configuration Guide

Types of Private VLANs and Private-VLAN Ports

Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. See Figure 12-1.

Figure 12-1 Private-VLAN Domain

There are two types of secondary VLANs:

• Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
• Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level. A community VLAN can include a combination of no more than eight user network interfaces (UNIs) and enhanced network interfaces (ENIs).

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private-VLAN ports are access ports that are one of these types:

• Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

Note Promiscuous ports must be network node interfaces (NNIs). UNIs or ENIs cannot be configured as promiscuous ports.

• Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
• Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN. No more than eight UNIs and ENIs can be community ports in the same community VLAN.

Note Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

Primary and secondary VLANs have these characteristics:

• Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.
• Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.
• Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN. Each community VLAN can include a combination of no more than eight UNIs and ENIs.

Note The switch module also supports UNI-ENI isolated VLANs and UNI-ENI community VLANs. When a VLAN is created, it is by default a UNI-ENI isolated VLAN. Traffic is not switched among UNIs and ENIs on a switch module that belong to a UNI-ENI isolated VLAN. For more information on UNI-ENI VLANs, see Chapter11, “VLAN Configuration”

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch module through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-VLAN servers from an administration workstation.

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.

You can use private VLANs to control access to end stations in these ways:

• Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.
• Configure NNIs connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private-VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private-VLAN ports.

IP Addressing Scheme with Private VLANs

Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme:

• Assigning a block of addresses to a customer VLAN can result in unused IP addresses
• If the number of devices in the VLAN increases, the number of assigned address might not be large enough to accommodate them

These problems are reduced by using private VLANs, where all members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses.

Private VLANs across Multiple Switch Modules

As with regular VLANs, private VLANs can span multiple switch modules. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch module. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in Switch A does not reach an isolated port on Switch B. See Figure 12-2.

Figure 12-2 Private VLANs across Switch Modules

You must manually configure private VLANs on all switches in the Layer 2 network. If you do not configure the primary and secondary VLAN associations in some switches in the network, the Layer 2 databases in these switches are not merged. This can result in unnecessary flooding of private-VLAN traffic on those switches.

Private VLANs and Unicast, Broadcast and Multicast Traffic

In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can communicate with each other at the Layer 2 level.

In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private-VLAN broadcast forwarding depends on the port sending the broadcast:

• An isolated port sends a broadcast only to the promiscuous ports or trunk ports.
• A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community VLAN.
• A promiscuous port (only NNI) sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk ports, isolated ports, and community ports).

Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs.

Private VLANs and SVIs

In a Layer 3 switch module (a switch module running the IP services image), a switch module virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

• If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.
• If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down.

When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.

Tasks for Configuring Private VLANs

To configure a private VLAN, follow these steps:

Step 1 Create the primary and secondary VLANs and associate them. See the “Configuring and Associating VLANs in a Private VLAN” section.

Note If the VLAN is not created already, the private-VLAN configuration process creates it.

Step 2 Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host port. See the “Configuring a Layer 2 Interface as a Private-VLAN Host Port” section.

Step 3 Configure NNIs as promiscuous ports, and map the promiscuous ports to the primary-secondary VLAN pair. See the “Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port” section.

Step 4 If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary. See the “Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface” section.

Step 5 Verify private-VLAN configuration.

Default Private-VLAN Configuration

No private VLANs are configured. Newly created VLANs are UNI-ENI isolated VLANs.

Private-VLAN Configuration Guidelines

Guidelines for configuring private VLANs fall into these categories:

• Secondary and Primary VLAN Configuration
• Private-VLAN Port Configuration
• Limitations with Other Features

Secondary and Primary VLAN Configuration

Follow these guidelines when configuring private VLANs:

• You use VLAN configuration mode to configure private VLANs
• You must configure private VLANs on each device where you want private-VLAN ports
• A private VLAN cannot be a UNI-ENI VLAN.

– To change a UNI-ENI isolated VLAN (the default) to a private VLAN, enter the private-vlan VLAN configuration command; this overwrites the default isolated VLAN configuration.

– To change a UNI-ENI community VLAN to a private VLAN, you must first enter the no uni-vlan VLAN configuration command to return to the default UNI isolated VLAN configuration.

• You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs
• A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it. An isolated or community VLAN can have only one primary VLAN associated with it.
• Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (STP) instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
• You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary VLAN, the configuration does not take effect if the primary VLAN is already configured.
• If you enable IP source guard on private-VLAN ports, you must enable DHCP snooping on the primary VLAN.
• You can apply different quality of service (QoS) configurations to primary, isolated, and community VLANs.
• When the switch module is running the IP services image, for sticky ARP

– Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. The entries do not age out.

– The ip sticky-arp global configuration command is supported only on SVIs belonging to private VLANs.

– The ip sticky-arp interface configuration command is only supported on

Layer 3 interfaces

SVIs belonging to normal VLANs

SVIs belonging to private VLANs

For more information about using the ip sticky-arp global configuration and the ip sticky-arp interface configuration commands, see the command reference for this release.

• You can configure VLAN maps on primary and secondary VLANs. However, we recommend that you configure the same VLAN maps on private-VLAN primary and secondary VLANs.
• When a frame is forwarded through Layer 2 within a private VLAN, the same VLAN map is applied at the receiving and sending sides. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the receiving side.

– For frames going upstream from a host port to a promiscuous port, the VLAN map configured on the secondary VLAN is applied.

– For frames going downstream from a promiscuous port to a host port, the VLAN map configured on the primary VLAN is applied.

To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the primary and secondary VLANs.

• If the switch module is running the IP services image, you can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
• Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.
• Private VLANs support these Switched Port Analyzer (SPAN) features:

– You can configure a private-VLAN port as a SPAN source port.

– You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one VLAN to separately monitor sent or received traffic.

Private-VLAN Port Configuration

Follow these guidelines when configuring private-VLAN ports:

• Promiscuous ports must be NNIs; UNIs and ENIs cannot be configured as promiscuous ports.
• Use only the private-VLAN configuration commands to assign ports to primary, isolated, or community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
• Do not configure NNI ports that belong to a Link Aggregation Control Protocol (LACP) EtherChannel as private-VLAN ports. While a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.
• Enable Port Fast and BPDU guard on NNI isolated and community host ports to prevent STP loops due to misconfigurations and to speed up STP convergence. When enabled, STP applies the BPDU guard feature to all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
• If you delete a VLAN used in the private-VLAN configuration, the private-VLAN ports associated with the VLAN become inactive.
• Private-VLAN ports can be on different network devices if the devices are trunk-connected and the primary and secondary VLANs have not been removed from the trunk.
• A community private VLAN can include no more than eight UNIs and ENIs. If you try to add more than eight, the configuration is not allowed. If you try to configure a VLAN that includes a combination of more than eight UNIs and ENIs as a community private VLAN, the configuration is not allowed.

Limitations with Other Features

When configuring private VLANs, remember these limitations with other features:

Note In some cases, the configuration is accepted with no error messages, but the commands have no effect.

• When IGMP snooping is enabled on the switch module (the default), the switch module supports no more than 20 private-VLAN domains.
• A private VLAN cannot be a UNI-ENI isolated or UNI-ENI community VLAN. For more information about UNI-ENI VLANs, see Chapter11, “VLAN Configuration”
• Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN.
• Do not configure private-VLAN ports on interfaces configured for these other features:

– dynamic-access port VLAN membership

– LACP (only NNIs or ENIs)

• Multicast VLAN Registration (MVR)
• You can configure 802.1x port-based authentication on a private-VLAN port, but do not configure IEEE 802.1x with port security on private-VLAN ports.
• A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN destination port as a private-VLAN port, the port becomes inactive.
• If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add the same static address to all associated secondary VLANs. If you configure a static MAC address on a host port in a secondary VLAN, you must add the same static MAC address to the associated primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove all instances of the configured MAC address from the private VLAN.

Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table.

• Configure Layer 3 VLAN interfaces only for primary VLANs.

Configuring and Associating VLANs in a Private VLAN

Beginning in privileged EXEC mode, follow these steps to configure a private VLAN:

Note The private-vlan commands do not take effect until you exit VLAN configuration mode.

When you associate secondary VLANs with a primary VLAN, note this syntax information:

• The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs.
• The secondary_vlan_list parameter can contain multiple community VLAN IDs but only one isolated VLAN ID.
• Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to associate secondary VLANs with a primary VLAN.
• Use the remove keyword with a secondary_vlan_list to clear the association between secondary VLANs and a primary VLAN.
• The private-vlan association VLAN configuration command does not take effect until you exit VLAN configuration mode.

This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the configuration. It assumes that VLANs 502 and 503 have previously been configured as UNI-ENI community VLANs:

Configuring a Layer 2 Interface as a Private-VLAN Host Port

Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs:

Note Isolated and community VLANs are both secondary VLANs.

This example shows how to configure an interface as a private-VLAN host port, associate it with a private-VLAN pair, and verify the configuration:

Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port

You can configure only NNIs as promiscuous ports. Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN promiscuous port and map it to primary and secondary VLANs:

Note Isolated and community VLANs are both secondary VLANs.

When you configure a Layer 2 interface as a private-VLAN promiscuous port, note this syntax information:

• The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs.
• Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the private-VLAN promiscuous port.
• Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the private-VLAN promiscuous port.

This example shows how to configure an NNI as a private-VLAN promiscuous port and map it to a private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.

Use the show vlan private-vlan or the show interface status privileged EXEC command to display primary and secondary VLANs and private-VLAN ports on the switch module.

Note Private VLAN configuration is not recommended on FastEthernet ports FE0/9 to FE0/16 on the GRWIC-D-ES-2S-8PC (Copper model) and the FastEthernet ports FE0/5 to FE0/12 on the GRWIC-D-ES-6S (SFP model). For Private VLAN configuration on the backplane, we recommend using PortChannel48. For details, see Chapter9, “EtherChannel Configuration Between the Switch Module and the Host Router”

Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface

If the switch module is running the IP services image and the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI.

Note Isolated and community VLANs are both secondary VLANs.

Beginning in privileged EXEC mode, follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private-VLAN traffic:

Note The private-vlan mapping interface configuration command only affects private-VLAN traffic that is switched through Layer 3.

When you map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN, note this syntax information:

• The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs.
• Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to map the secondary VLANs to the primary VLAN.
• Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary VLANs and the primary VLAN.

This example shows how to map the interfaces of VLANs 501 and 502 to primary VLAN 10, which permits routing of secondary VLAN incoming traffic from private VLANs 501 to 502: