1. Februar 2021
HomeCiscoPrivat VLANS

Privat VLANS

By  Cisco, GNS3 Labs, Netzwerk  0 Comments

Privat Vlans werden eingesetzt um die Kommunikation zwischen Systemen zu begrenzen.
Das z.B. PC2 nicht mit PC0, PC1 und PC3 kommunizieren darf, aber mit dem Server, wie im VLAN 502
Es kann aber auch erlaubt sein das PC0 mit PC1 und dem Server kommunizieren darf, aber nicht mit PC3 und PC4

Dazu kommen verschiedene Typen zum Einsatz

Promiscuous Mode – Mit diesem Port dürfen alle kommunizieren
Isolated – Der Client darf nur mit dem promiscuous Port kommunizieren
Community – der Client darf mit allen Clients im Community Netz und dem promiscuous Port kommunizieren

PC0 darf erreichen -> PC1 und den Server
PC1 darf erreichen -> PC0 und Server
PC2 darf erreichen -> nur den Server
PC3 darf erreichen -> nur den Server

Server -> darf alle erriechen

Die Switch Konfiguration

Switch A

vtp mode transparent <– privat Vlans funktionieren nur im transparent mode
!
!
vlan 500
private-vlan primary <– primäre Netz über die alle verbunden werden
private-vlan association 501-502 <– welche Netze sollen an das primary Netz gebunden werden ?
!
vlan 501
private-vlan community
!
vlan 502
private-vlan isolated
!
!
interface Ethernet0/0
description PC0
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface Ethernet0/1
description PC1
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface Ethernet0/2
description PC2
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface Ethernet0/3
description PC3
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface Ethernet1/0
description Server
switchport private-vlan mapping 500 501-502
switchport mode private-vlan promiscuous

Natürlich können privat VLANs auch über einen Trunk transportiert werden.
Dazu einfach per dot1q Trunk die Switche verbinden und die VLANs und Ports entsprechend anlegen

Switch A

!
interface Ethernet3/3
description Trunk-zu-Switch-B
switchport trunk encapsulation dot1q
switchport mode trunk
!

Switch B

!
vtp mode transparent
!
!
vlan 500
private-vlan primary
private-vlan association 501-502
!
vlan 501
private-vlan community
!
vlan 502
private-vlan isolated
!
interface Ethernet0/0
description PC4
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface Ethernet0/1
description PC5
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface Ethernet0/2
description PC6
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface Ethernet0/3
description PC7
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface Ethernet3/3
description Trunk-zu-Switch-A
switchport trunk encapsulation dot1q
switchport mode trunk
!

Kontrolle der VLANs

Switch-A#sh int ethernet 0/0 switchport
Name: Et0/0
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 500 (VLAN0500) 501 (VLAN0501)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
500 (VLAN0500) 501 (VLAN0501)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Appliance trust: none

Server Port

Switch-A#sh int ethernet 1/0 switchport
Name: Et1/0
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 500 (VLAN0500) 501 (VLAN0501) 502 (VLAN0502)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
500 (VLAN0500) 501 (VLAN0501) 502 (VLAN0502)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Appliance trust: none

Switch-A#sh vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
500 501 community Et0/0, Et0/1, Et1/0
500 502 isolated Et0/2, Et0/3, Et1/0

Switch-A#sh vlan private-vlan type

Vlan Type
—- —————–
500 primary
501 community
502 isolated

Related Posts