Private VLAN or other options?

Hello all,
I have a client whose network uses sonicwall as their firewall. In order for client to get out to the Internet you must install the McAfee Anti-Virus software. I can make exceptions to this rule in the Sonicwall web interface by IP addresses.
Well I now have a situation where I want to put a wireless access point on one of the Cisco 3550 switches and basically create a seperate network off of that access point. Then I would give the access point's interface connecting to the 3550 a static ip address and therefore exclude all traffic coming from that ip address from having to download the McAfee AV software.
I also do not want any of the clients connection to the WAP to be able to communicate with the internal network. The ideal situation is the clients would connect to the access point then the access point would only be able to communicate with the default gateway of the network. The access point will be providing a DHCP address that is seperate from the internal network and then receive a NAT address that is on the same subnet as the internal network.
The WAP is a sonicwall Tz170. I am going to configure its WAN port to be 172.31.1.15 and connect this port to the 3550. The TZ170 will then give out a DHCP address of 192.168.10.X to all clients connecting to it. The default gateway of the internal network is 172.31.1.253.
Any advice on how to do this would be greatly appreciated. Thank you.

if the AP is going to perform NAT for it's clients, then all you would need is a few VACLs to keep the WAP clients from talking to anything but the internet.
to keep WAP clients from communicating to the rest of the network, you should use VACLs/ACLs at the switch/router levels to allow or restrict subnets from talking to one another. this way you can tell the WAP clients all they can do is goto the internet, not internal network devices.
the default-gateway for your WAP devices will not be the 172.31.1.253 address. instead it will be the 192.168.10.x address assigned to the routing interface that is able to communicate with the rest of the VLANs (or at least the internet subnet/VLAN)
the default-GW for the WAP device can be the INSIDE interface if it is connected to the same subnet as the inside interface. (otherwise it will be the router interface for the subnet/VLAN that it resides on)
some info on 3550 VLAN & routing is at the link below:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book09186a00801f0a3a.html

Similar Messages

Private VLAN support on Cisco SF220

Hi!
is there a plan to add support of Private VLANs on SF220?

Hi,
We currently do not have plans to support Private VLANs.

Heads Up: Private VLAN Sticky-ARP DHCP Issues

Here is the scenario:
Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
A DHCP Server is offering 3 day leases.
A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
Log messages show the following:
%IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
There appears to be two sensible solutions to this problem:
1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
Regards,
Brad

Excellent question.
Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
Brad

Private vlans and 2960 and 3560 switch

Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

SUP WS-X45-SUP6-E & private-vlan community

All,
I tried to upgrade Cisco 6500 from Sup-2 to Sup-6 running IOS cat4500e-entservicesk9-mz.122-40.SG.bin.
After upgrade everything came back up normal , no problem with hardaware.
Except with private VLAN community.
After this upgrade I can not configure "Private VLAN comunity" on this switch.
AUNN00RS_XXXXX(config-vlan)#private-vlan community
% Invalid input detected at '^' marker.
AUNN00RS_MGMT1(config-vlan)#private-vlan     ?
association Configure association between private VLANs
isolated     Configure the VLAN as an isolated private VLAN
primary      Configure the VLAN as a primary private VLAN
It works absolutely fine with Sup-2 running same IOS.
AUAN00RS_XXX(config-vlan)#private-vlan ?
association Configure association between private VLANs
community    Configure the VLAN as a community private VLAN
isolated     Configure the VLAN as an isolated private VLAN
primary      Configure the VLAN as a primary private VLAN
Regards
Sachin

I just checked the command reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/40sg/command/reference/cmdref.html
And it should be there....I couldn't find any related bugs.
Do you have the option of upgrading the IOS? The latest is 12.2(53) SG3
Regards,
Ian

Hi all, need advice on OSPF and private vlans

Hi all.
I have a project to complete and need some help on the possible solution I can use.
Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
Any help and advice would be greatly appreciated.
Cheers
Steve

Steve
Thanks, that helps.
GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
It's good that area 7 is only for these users and not mixed up with other users.
So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
Can you confirm the above ?
In terms of keeping them separate there are 2 possible choices. You can either -
1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way. So it may well be worth going back to find out exactly what "segregating" user traffic means.
I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
Jon

How to setup Private VLAN in Small business switch SF200-24

Dear All,
According release notes 1.4 , private vlan is supported. I've upgraded my SF200-24 with firmware 1.4.0.88 and boot 1.3.5.06. The system information show firmware version 1.4.0.88 and boot version 1.3.5.06 after reboot. I can't find private vlan setup command on GUI. Please help me to setup private vlan. Thanks.

Hi,
Unfortunately PVLAN is not supported on 200 series. However you might be able to overcome this using general port concept.
for example:
isolated port - general 10P (PVID), 30U, drop tagged traffic
community - 20UP, 30U, drop tagged traffic
promiscuous - 30UP, 10U, 20U
Note: primary vlan 30
does it address your requirements?
Aleksandra

Why is my 'start private browser' under "Tools" option grayed out?

When I click on 'Tools' from the browser screen, the 'Start Private Browser' option is grayed out.

Are you sure that it isn't a grayed "Stop Private Browsing" ?
See also:
* [[Private Browsing]]

Private VLan in 3550

we are going to purchase cisco 3550 switches for our DMZs setup, we would like to utilise the Private VLAN (PVLAN) features in order to protect our individual server from any attack or any compromise servers. Can any body highlight some more on this how best is this to configure pvlans in cisco 3550 switches and is there any issues with Checkpoint Firewall.
where I will get step by step commands. I searched on cisco site but lost myself for finding the step by step documentation.
I find one documentation which was very good but it is for cisco 6500 series switches. please see the link for that http://www.cisco.com/warp/customer/473/90.shtml
Thanks in advance

Here is a link that I hope helps you with your coinfiguration. See Configuring Protected Ports portion for the PVLAN feature.
http://www.cisco.com/en/US/partner/products/hw/switches/ps637/products_configuration_guide_chapter09186a008007e838.html
I don't know any issues with specific vendor equipment (e.g. Checkpoint FW, etc).
Hope this helps you,
Don

Nexus 1000V private-vlan issue

Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
Thank you in advance
Lucas

Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

Private VLAN

Hi,
I am creating Private VLAN on my 7606 Router on SVI interface.
7606#sh vlan private-vlan
Primary Secondary Type Ports
200 201 isolated Fa4/13
7606#sh run int f4/13
Building configuration...
Current configuration : 222 bytes
interface FastEthernet4/13
switchport private-vlan host-association 200 201
switchport mode private-vlan host
no ip address
no cdp enable
end
when i connect a pc with Fa4/13 it remain "FastEthernet4/13 is down, line protocol is down (notconnect)". SVI interface is also down.
STP-7606#sh int vlan 200
Vlan200 is down, line protocol is down
Hardware is EtherSVI, address is 0023.0419.1f40 (bia 0023.0419.1f40)
Any idea?

Hello
here is the good link to understand the PVLAN
http://www.cisco.com/warp/public/473/90.shtml
regards
Dhaval Tandel

Private VLAN support on actual HW

Hi all,
I'm currently thinking about a private Vlan based solution for a special demand.
Now for my initial investigation i need tio have something like a Pvlan HW support matrix.
Means I'd like to know which switches in cisco portfolio supporting PVLAN's.
Additional I'm wondering cause most of the PVLAN documentation relative old.
How about PVLAN support. Is Pvlan on Access switches still (and in future) featured by Cisco?
thanks for your comments
Dieter

Hi Dieter,
You could see this detail using Cisco Feature Navigator tool which is avilable on the cisco web site.
1. Go to below site
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
2. Select the Feature button and type the Feature which you would like verify. If you press continue button, you can supported code as well as platform
If you would like to know about any specific product support detail, please inform me, i can share information whether it supports or not.
Inform me if you need more detail.
Regards,
Aru

Multi-VRF CE with Private VLANs

Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
As the VRF configuration is not media dependent.
HTH-Cheers,
Swaroop
Router 1
interface Serial0/0
no ip address
encapsulation frame-relay
no keepalive
!--- This command disables LMI processing.
interface Serial0/0.1 point-to-point
!--- A point-to-point subinterface has been created.
ip address 172.16.120.105 255.255.255.0
ip vrf forwarding xxx
frame-relay interface-dlci 101
!--- DLCI 101 has been assigned to this interface
Router 2
interface Serial0/0
no ip address
encapsulation frame-relay
no keepalive
!--- This command disables LMI processing.
interface Serial0/0.1 point-to-point
!--- A point-to-point subinterface has been created.
ip vrf forwarding xxx
ip address 172.16.120.120 255.255.255.0
frame-relay interface-dlci 101
!--- DLCI 101 has been assigned to this interface

Private Vlan and Switchport Protected

Dear All,
My core switch is 4500 which support Private Vlan. However, I have several closet switch (2950) which only support Switchport Protected. 4500 and each 2950 are connected with trunk using fiber.
How can I config PC at 2950_Switch1 cannot communicate to PC at 2950_Switch2 (all fastethernet port on both 2950 are at the same vlan and same subnet)?
Thanks.
C.K.

Hi C.k.,
I believe you can use switchport protected feature along with port blocking feature to accomplish this. First have your switch ports configured as protected ports on which you dont want the traffic to flow and then configure those ports to deny unknown unicast and multicast using the " port-blocking feature ".
Try that and let us know.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1174968
HTH,
-amit singh

Switches 2950 with private-vlan

Hi experts!
Do you know if switches 2950 suport private-vlan? I upgrade IOS and try to configure PVLAN, but this switch model dont have the interface mode command "switchport private-vlan".
best regards,
Rodrigo A.

See the below matix:-
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
HTH>

Private VLAN or other options?

Similar Messages

Maybe you are looking for