Securing Our Switches: Private VLAN Lab

Steps to setup private VLANs:

1. Create your VLANs in the database and specify your promiscuous, isolated and community VLANs. (Make sure you are in VTP Transparent mode)

 MLS(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
twoway-community Configure the VLAN as a two way community private VLAN

2. Under your Private Primary/Parent VLAN, you must associate your Private Secondary/Child VLANs.

MLS(config-vlan)#private-vlan association ?
WORD VLAN IDs of the private VLANs to be configured
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
MLS(config-vlan)#private-vlan association 200,300

3. Place your ports into the required VLAN and create your mapping.

Promiscuous port that connects to the default gateway:

 SW1(config)#int fast 0/12
 SW1(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dot1q-tunnel set trunking mode to TUNNEL unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
private-vlan Set private-vlan mode
trunk Set trunking mode to TRUNK unconditionally
 SW1(config-if)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous
 SW1(config-if)#switchport mode private-vlan promiscuous
*This port must now be ‘mapped’ to the Private VLANs:
 SW1(config-if)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping
 SW1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous port mapping
 SW1(config-if)#switchport private-vlan mapping 300 ?
WORD Secondary VLAN IDs of the private VLAN promiscuous port mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
 SW1(config-if)#switchport private-vlan mapping 300 100,200 (Primary and Secondary Private VLANs)

4. To associate host devices with their Private VLAN access ports.

 SW1(config)#interface range fast 0/1 - 5
 SW1(config-if-range)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous
 SW1(config-if-range)#switchport mode private-vlan host
 SW1(config-if-range)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping
 SW1(config-if-range)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port association
<2-1001> Primary normal range VLAN ID of the private VLAN port association
 SW1(config-if-range)#switchport private-vlan host-association  300 100
 You can verify all of your private VLANs with ‘show vlan private-vlan’ and on an interface level with the command ‘show interface switchport’
Advertisements

Securing Our Switches: Intro to Private VLANs

two kinds of private VLANs, primary and secondary

two kinds of secondary VLANs, community and isolated

PVLAN Hierarchy

  • promiscuous private Primary VLAN (Parent)
  • community private Secondary VLAN (Child)
  • isolated private Secondary VLAN (Child)

Example: (From Chris Bryants SWITCH study guide)

PVLAN