Private Vlan and Switchport Protected

Similar Messages

• Private vlan and HSRP

  Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
  | |
  7609----7609
  | |
  3750
  |
  3550
  |
  servers
  Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

  It looks like the 3550 do not support private VLAN.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
  More info. on private VLAN :
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
  Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
  Hope this helps.

• Private vlans and 2960 and 3560 switch

  Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

  Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
  Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

• Private VLAN and ASA subinterfaces

  Gents,
  I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
  If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
  Thanks,

  I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
  To see how to configure it, check out this guide (a long in depth read but worth it):
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
  Regards,
  Ian
  If I hepled please rate me.

• Private Vlans and trunk mode

  if we have a primary vlan 100 associate with it
  vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
  and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
  How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
  cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
  and

  Private vlan's are all on the same subnet, so from what you are writing I see:
  100-------------------------------
  | | |
  | | |
  11 12 13
  Fa0/2 fa/03 fa0/4
  and you want to route to Vlan 50, correct?
  In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

• Private-VLAN and EtherChannel

  Hi,
  On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
  The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
  I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
  The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
  How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
  Is there a way to solve this without replacing the Private-VLANs with VLANs?
  Thanks in advance for your help!

  From "EtherChannel Configuration Guidelines"
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
  Do not configure a private-VLAN port as part of an EtherChannel.

• Configure Private VLAN on 3750 & 2960

  Hi All,
  ( R ) ------ [ 3750 ] ------- [ 2960 A ]
                          |------------ [ 2960 B ]
  I had these VLAN on the 3750 & 2960:
  - Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
  Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
  2960 Configure
  On uplink to 3750
   switchport mode trunk
  On end device port 
   switchport trunk native vlan 35
   switchport trunk allowed vlan 34,35
   switchport mode trunk
   switchport protected
   spanning-tree portfast
  How do I go about configure private VLAN on the 3750? 
  3750 Configure
  On downlink to 2960
   switchport mode trunk
  Interface vlan8
   ip address 10.8.0.1 255.255.255.0
  Interface vlan17
  ​ ip address 10.17.0.1 255.255.255.0
  Interface vlan34
  ​ ip address 10.34.0.1 255.255.255.0
  Interface vlan35
  ​ ip address 10.35.0.1 255.255.255.0
  What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

  I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
  But you can configure with private vlan.
  let's say client A is in port f0/1 and client B in port f0/2
  Parent (main) VLAN is 100 and child is 999
  You would configure the VLANs in ALL switches.
  vlan 999
  private-vlan isolated
  vlan 100
  private-vlan primary
  private-vlan association 999
  Now you would need to configure the ports.
  int range f0/1 - 2
  switchport mode private-vlan host
  switchport private-vlan host-association 100 999
  If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
  interface vlan 100
  private-vlan mapping 999
  That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
  If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
  wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

• ?switchport protected between switches

  Hi,
  I have several 2950's and 3550's hung on trunks off a common 3550 EMI.
  Configuring switchport protected on interfaces disables L2 communications between these interfaces on the same switch.
  Can anyone tell me a sane/simple way to disable L2 between interfaces on the same VLAN on different switches?
  Thanks.

  Thanks.
  As I understand it then, all hosts connected to associated primary and secondary private vlans occupy the same ip subnet with a gateway configured on the primary vlan's svi.
  Short of replacing all switches with 3560/3750's, could I get L2 isolation by
  1. replace the 3550 at the root with a 3560 trunked to both 2950's.
  2. configure the 3560 with private primary vlan X with associated private isolated vlan Y
  3. configure all 2950 ports connected to workstations as switchport access vlan Y and switchport protected.
  4. configure the 2950 ports connected to the server as switchport access vlan X and no switchport protected.

• Private vlan edge port & STP

  Hi:
  Is it possible (and a good design to avoid layer 2 loops) to combine the stp and protected ports features on uplinks ports of an edge "non-transit switch"?
  The uplinks ports that i would like to have also as protected ports will be dot1q trunks, anyway i have read that protected ports are also supported with dot1q on 3750 switches... my doubt is, if you already have STP working on these uplink ports, may the protected-port feature help to avoid the undesirable efects of a loop or it is not designed for this purpouse?
  Regards and TIA.
  Juan

  The PVLAN edge (protected port) is a feature that has only local significance to the switch (unlike Private Vlans), and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device

• VLANs and VoIP on the same port

  Hello, we want to move our VoIP system on its own vlan. We currently have everything on one big broadcast domain. I have been doing some reading and have head about Voice Vlans and switchport modes. All of our computers are connected to our ip phones so they are on the same physical line. The phones are Aastra 480i and they run on a sphericall phone system. The phones can tag the phone data with 802.1p/q. If im using static port based vlans how would i configure the ports to accepts these 2 diffrent vlans?

  Hi Friends,
  I have tried many a times with Avaya Ip phones and Cisco swiches and it works fine.
  Actually what I think CDP is used for inline power negotation so if you dont have Cisco switches you have to use external power supply. Also now a days switches are coming which internal power supply which supoprt IEEE standard so if we have those switches we can use other vendors ip phones without external power supply.
  Anoher thing I will always recommend not to configure trunk especially cause tht may result in pc getting DHCP ip adress later. I have experienced many a times this situation. When you configure switchport voice vlan command on the switch it automatically forms an internal trunk which is not displayed on the switch but internally it works.
  Right now I was not able to find one cisoc doc which especially says no need for trunk if you configure switchport voice vlan command on switch.
  So just 2 commands
  switchport voice vlan
  switchport access vlan
  Works perfectly fine.
  HTH
  Ankur

• Heads Up: Private VLAN Sticky-ARP DHCP Issues

  Here is the scenario:
  Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
  DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
  A DHCP Server is offering 3 day leases.
  A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
  The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
  Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
  Log messages show the following:
  %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
  The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
  However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
  There appears to be two sensible solutions to this problem:
  1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
  2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
  Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
  Regards,
  Brad

  Excellent question.
  Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
  Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
  In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
  Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
  When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
  In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
  Brad

• Private Vlan testing

  Setting up Private/Vlans and need a relativley simple and quick method to test this installation. I am concerned with the added security this technology is providing. I want to test to make sure the traffic is indeed secured.

  DMZ servers are only supposed to process incoming requests from the Internet, and eventually initiate connections to some back-end servers located at an inside or other DMZ segment, such as a database server. At the same time, DMZ servers are not supposed to talk to each other or initiate any connections to the outside world. This clearly defines the necessary traffic flows in a simple trust model.

• Double Private VLAN

  I want to ask if my Vswitch on the VM ware has using 1st time Private VLAN and at the N5K can I use apply second time Private VLAN?
  VM Servers <--- Trunk---> N5K            
  First VM has primary vlan say 100
  First VM secondary vlan say 101,102,103
  Second VM has primary vlan say 200
  Second VM secondary vlan say 201,202,203
  So will N5K able to has following PVLAN config
  Primary VLAN 300
  Secondary VLAN say 100,200

  Vlad,
  From networks connected behind router1 need to reach networks connected behind router2
  ------[router1]--------------gig1/4[vdmz]gig2/16----------------[router2]-------
  gig1/4 is community vlan 121
  gig2/16 is in community vlan 119
  Primary vlan is Vlan116
  VDMZ is our 6503 configured with private vlans.
  some more of the config is this (and I do have a 6503 with an mscf daughter card):
  interface Vlan116
  description vendor-dmz public/private primary vlan
  ip address 10.248.15.2 255.255.255.128 secondary
  ip address 211.121.108.66 255.255.255.192
  ip access-group 140 in (this one has a permit any any at the end)
  no ip redirects
  no ip unreachables
  private-vlan mapping 117-122
  ip route 10.82.35.0 255.255.255.0 211.121.108.96
  (where 211.121.108.96 is address of router1)
  I have a bgp peering with 211.121.108.90 which is router2.
  in router1 they can see the routes advertised via bgp and also in router2 they
  can see the route for 10.82.35.0 that I advertise to them via bgp.
  I really appreciate your help,
  Alban

• Is there a way to place an encrypted document on the iPhone, a document that contains passwords and private information, really well protected from hackers?

  Is there a way to place an encrypted document on the iPhone, a document that contains passwords and private information, really well protected from hackers?
  Can such a document be exempted from the cloud feature, a feature that I use for the rest of my stuff?
  If so, how can I do this?

  Yeah, but 1Password charges for both the iPhone client AND the Mac/Windows client, and it ain't cheap! Plus, it only syncs via Dropbox, and where I work Dropbox is banned due to security concerns.
  Sure, there is Secure Notes, a free form entry part of 1Password, but a bug in the program will not let you view all the text you can put in the field!! You have to EDIT the text to see the whole list! What if you accidentally delete or change an entry while scrolling through your entries??
  Plus NONE of the programs I have tried, and I have tried a lot, can find text IN the file - do a search and it will tell you what file/folder the text is in, but YOU have to scroll down through 400 entries one at a time looking for the entry.
  I use a program called Secure Text - I have many admin passwords, and DO not need a field based program. Secure Text is totally freeform entry. However, it suffers from the same search issue.
  If someone knows of a secure text program that uses a file/folder type of layout, free form entry, AND can actually tell you where in the file/folder the text you searched for is, PLEASE let me know! Plus sycing via some method other than Dropbox would be a plus.
  Before I got my iPhone, I used a program called Tombo for my WinCE based system AND my Windows workstation, and the synced up fine without iTunes, internet, DropBox type functionality or any of that horsecoller stuff Apple likes to throw on your neck.

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon