MicroNugget: Private VLANs

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
one of the really cool ways of controlling at the switch regarding which ports can talk to other ports is using a technique called private VLANs I'd like you to imagine a beautiful island beautiful trees beautiful sand beautiful ocean and there are several people who want to go to this island for a vacation the first people are very individual meaning they don't like to socialize with others and so when they go to the beach they go to the dock and then they go to a special part of the beach that's isolated meaning that person one will never see person to person two will never sees person three and that's because each one of them is going to go to their own special little space in the isolated area of the island now another group of people may be their friends maybe this group of people want to go to the island but they want to be able to see and visit and hang out with each other while they're on the island so they're kind of like a group of individuals so in order to accomplish that they would arrive at the dock at the island and then they would be placed in what's called a community area for that group so maybe these are people four five and six and so we have person four person five person six and they can all communicate with each other and see each other while on the island on the other hand the individuals who chose the isolated option they can see no one else they can't see person four person five percent six nor can they see person two or person three because they're in this special isolated portion however there is something in common between all of these individuals they all have access to the port and because they want to leave the island that's pretty important have access to the port that allows them off the island to go back where they came from well in the world of switching in a Cisco environment we have an option called private VLANs that allow us to control what traffic is allowed to be seen between two different ports on a switch and with private VLANs we're going to have a primary VLAN and that is very much like the island this primary VLAN is going to have an IP subnet associated with it such as 10.40 50 0 / 24 and all the devices they'll be participating as parts or subsets of this private VLAN are all going to agree on what that subnet range is they're all going to have host addresses on that subnet now there is a reason they call it private VLANs and that's because we have multiple VLANs working together the primary VLAN is in this example 100 and we also have a secondary VLANs and the secondary VLANs are like subsets or subdomains of the primary VLAN in this example we have VLAN 200 300 400 and 500 and those are all secondary VLANs now not all secondary VLANs are created equal there are two types of secondary VLANs one is isolated and one is a community VLAN in an isolated VLAN and you're going to have up to one at the most isolated VLANs any ports that are participating in that isolated VLAN in this case VLAN 200 they will not be able to communicate with any other ports in the private VLAN with the exception of a promiscuous port which we'll talk about here in just a moment so going back to our analogy person 1 will not be able to talk to person 2 3 4 5 or 6 because they are in the isolated VLAN they're effectively blocked off from communicating with all the other devices on that switch now on the other hand we have this group of people who want to be able to communicate with each other and that's why we put them into a special secondary VLAN that was set up as a community VLAN in a community VLAN all the ports that are associated in this example its VLAN 400 all the ports that are associated with that VLAN 400 can communicate with each other as well as with the dock however devices connected to ports and a community VLAN cannot communicate with devices outside of their community for example they can't communicate with port 1 or port two or port 3 because those are not part of the same community now the exception to the rule is there is a special port called the promiscuous port in the primary VLAN that all devices can connect to and they need to be able to communicate with that port because that's very likely where the default gateway is going to be for that subnet and that brings us down to port types an isolated port is a port that's allocated as part of an isolated secondary VLAN a community port is a port that's been associated with a community secondary villain and a promiscuous port which is always going to be in the primary VLAN is a port that will be willing to talk to any other port inside of the private VLAN configuration is promiscuous meeting hey I'll talk to anybody the end of the day the purpose of this is is to restrict which ports in the same IP subnet are allowed to communicate with each other by our implementation of private VLANs and what I would like to do is take just a couple moments and show you how to implement this on a Cisco switch to support private VLANs we have to basically turn off the features of VTP and we're going to do that by going into configuration mode and simply saying that we want VTP to operate in transparent mode not as a client not as a server and this is the first prerequisite if you will for supporting private VLANs now on this switch it was already set to transparent mode but we want to validate what mode were in we can do a show v TP status just to confirm that it's in transparent mode next let's create a couple of brand-new VLANs and we're going to specify in VLAN configuration mode that they are community VLANs so we'll say private - VLAN space community in each of the VLAN configuration mode so VLAN 400 and 300 are going to be secondary VLANs in our private VLAN configuration we can create as many secondary community VLANs as we need to however when it comes to the secondary VLAN of type isolated we really only need one because any ports they get associated with that isolated VLAN are going to have the ability to go effectively nowhere so we have 200 customers they all should go nowhere except for the promiscuous port we can put all of those users into the same isolated VLAN and they'll all be isolated from each other so we've created our secondary VLANs type community and type isolated we also need to create the primary VLAN which we're going to use VLAN 100 and we'll simply tell it that it's a primary VLAN by using the command private - VLAN space primary the next challenge that we're going to address is letting the primary VLAN know all of the secondary VLANs that are associated with it so in VLAN configuration mode for the primary VLAN be then 100 we're going to use the command private - VLAN Association and then the list of all this secondary VLANs so here I've specified that VLANs 200 300 400 500 are all going to be secondary VLANs via and 300 and 400 are going to be community VLANs v then 200 is an isolated VLAN and VLAN 500 had previous been configured as another community VLAN next we're going to go ahead into interface configuration mode and tell the individual ports which VLANs they're going to go ahead and participate in and let's start off with the promiscuous port that's in the primary VLAN and we're going to use interface gig 0 / 11 and we're going to say switch port mode private - VLAN and the keyword promiscuous which tells the switch that this port should be willing to communicate with any port in any secondary VLANs we're also going to give this port specific instructions regarding what the primary VLAN number is and what the secondary VLANs are and we're going to do that with the command switch port space private - VLAN mapping and then the primary VLAN number first space and then followed by a list of the secondary VLANs so that takes care of our promiscuous port in the primary view then let's go ahead and add a couple of ports let's say gig 0 / 12 & 13 to the isolated VLAN to do that we're going to do switch port mode private - VLAN host and that's half the battle now they know they're going to be host ports and the second part is we're going to tell these individual ports the number of the primary VLAN that's the first number we're listing followed by the secondary VLAN that we want them to participate in so the 100 right here specifies the primary VLAN and 200 specifies the VLAN that these ports are going to be associated with and because VLAN 200 is an isolated VLAN these two ports will not have any access to any other ports in the isolated VLAN nor will they have access to any other ports in any other community VLANs however they will have access to the promiscuous port gig 0 / 11 so they can communicate with whatever is on that port hopefully it's a default gateway for them to use to get off of that local subnet and where you use that similar treatment to add ports into a community view then same exact syntax except for we're going to go ahead and specify a community villain like VLAN 300 instead of the isolated VLAN such as 200 so for reports 14 and 15 we use the command switch port mode private - VLAN host and then we'll specify private VLAN host host Association the primary VLAN space and then the secondary real end that we want these ports to participate in so 300 here is our secondary view than the community view then so if there's two devices connected to ports 14 and 15 they would be able to communicate with each other on that same subnet the switch would allow it and they would also be able to communicate with whatever's hanging off of gig 0 / 11 that's where the promiscuous port is we'd also want to make sure that those interfaces are up there not shut down if we want them to work so we'll go ahead and bring them out of a shutdown state and then of course we want to verify our work and one way we could do that is they show VLAN space private - VLAN and that should show us our private VLAN configuration with all the ports that are associated with those VLANs I had a great time and I'm glad you joined me for this micronet I hope this has been informative for you and I'd like to thank you for viewing
Info
Channel: CBT Nuggets
Views: 45,332
Rating: 4.9286776 out of 5
Keywords: information technology, cbt nuggets, cisco certification, ccna certification, information technology jobs, cisco ccna, cbt training, information technology degree, ccna training, cisco training, information technology careers, information technology management, ine training, cbt training online, cisco training online, ccna certification training
Id: xl3_zgaZuH8
Channel Id: undefined
Length: 9min 43sec (583 seconds)
Published: Tue Jun 17 2014
Related Videos
Master Spanning Tree (STP) Topologies in 3 Steps
Viatto
23K
MicroNugget: What is Multi-Protocol Label Switching (MPLS)?
CBT Nuggets
124K
Configuring & Using VLANs, PVLANs inVMware vSphere | vmworld
VMworld 2018
9.6K
MicroNugget: What is Netflow?
CBT Nuggets
90K
VLANs and Trunks for Beginners - Part 1
danscourses
2.1M
Understanding Private VLAN
Sikandar Shaik
40K
Private VLAN tutorial and demonstration
Keith Barker
337K
802.1Q Ethernet Trunking | Cisco CCNA 200-301
Keith Barker
38K
Vlan Hopping, Double Tagging, and STP Attacks - CCNA Security
CCNADailyTIPS
2.8K
Subnet Mask - Explained
PowerCert Animated Videos
93K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.7M
VLAN Explained
PowerCert Animated Videos
906K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.