CCIE DC: Private VLAN's

Hi Guys!

Update at bottom


So this blog post is going to be about private-VLAN's, to be honest i am not going to spend too much time going over what they do and the basics of them, that is better handled by this excellent blog post by Brian:

http://blog.ine.com/tag/private-vlan/

Instead I am going to talk specifically about them on the NX-OS platform and specifically the "Trunking" aspect of them.

OK let's just quickly review a basic config of the private-vlan:

vlan 666
  name PROMISCOUS_PRIMARY
  private-vlan primary
  private-vlan association 667-668
vlan 667
  name COMMUNITY_SECONDARY
  private-vlan community
vlan 668
  name ISOLATED_SECONDARY
  private-vlan isolated

As you can see above, you have the three types of private-vlans, one of which is your primary, which is then associated (in bold) to the multiple secondaries, you must do this association in order for any of our config to work, here is a handy command to check your bindings:

n5k1# show vlan private-vlan
Primary  Secondary  Type             Ports
-------  ---------  ---------------  -------------------------------------------
666      667        community       
666      668        isolated         Eth1/1, Eth1/17

Easy enough to make sure, basically every VLAN if you want it to actually work should show a primary and secondary, if you don't associate it won't show up and the VLAN will never come up.


OK, so quickly here is a simple port configured to be on the isolated VLAN, which means that this ports host can only talk to promiscious ports:


n5k1# show run int eth1/1


interface Ethernet1/1
  switchport mode private-vlan host
  spanning-tree port type edge
  switchport private-vlan host-association 666 668

Pretty simple, heres another useful command to look at your private-vlan config

n5k1# show int eth1/1 switchport
Name: Ethernet1/1
  Switchport: Enabled
  Switchport Monitor: Not enabled
  Operational Mode: Private-vlan host
  Access Mode VLAN: 668 (ISOLATED_SECONDARY)
  Trunking Native Mode VLAN: 1 (default)
  Trunking VLANs Allowed: 1-4094
  Voice VLAN: none
  Extended Trust State : not trusted [COS = 0]
  Administrative private-vlan primary host-association: 666
  Administrative private-vlan secondary host-association: 668
  Administrative private-vlan primary mapping: none
  Administrative private-vlan secondary mapping: none
  Administrative private-vlan trunk native VLAN: 1
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: (666,668)
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled


OK, next let's quickly look at how, for example you would make a layer 3 interface on a switch, an SVI, that would allow you to have a promiscious L3 interface on your switch (maybe your switch is the default gateway for the VLAN for example)



interface Vlan666
  no shutdown
  ip address 10.0.0.50/24
  private-vlan mapping 667-668
It's all in the private-vlan mapping command, here you just specify under the actual primary-vlan (VLAN 666) svi interface, hey these are the private-vlans I am mapped to and am able to talk to.


Ok, still with me so far?

Finally we need to look at how  you would configure a TRUNK that carries private-vlans, why would i want to do this? Maybe you have two switches and you actually want to maintain your isolation for hosts between the switches, you couldn't do this before as when you tagged the VLAN, the other switch would learn all those mac addresses on a port and say to itself "Well, it ain't a isolated port, so i guess i better let the hosts talk to these mac-addresses"

So there are two types of trunks you can configure, secondary and primary trunks which carry either promiscious or isolated traffic, lets say you had three switches, switches A, B and C, switch C only had hosts on it that where isolated hosts, no ports on switch C where promiscious at all, switch B had all isolated too, and switch A had promiscious ports only


In this scenario, you need to create the trunk between A and B that is promiscious, the trunk between switch C and switch B can be isolated, Why? Because Switch A has hosts on it that are promiscious, that need to talk to switch B, I have a rule to myself, I say to myself "If either switch has ports on it that are promiscious, the trunk between the switches must be promiscous"

SO here is some config for that:

interface Ethernet1/17
  switchport mode private-vlan trunk promiscuous
  switchport private-vlan trunk allowed vlan 666-668
  switchport private-vlan mapping trunk 666 667-668

Now the word mapping is key here, when you look under an int, check out your options:

n5k1(config-if)# switchport private-vlan ?
  association       Private vlan trunk association
  host-association  Set the private VLAN host association
  mapping           Set the private VLAN access/trunk promiscuous mapping
  trunk             Set the private vlan trunking configuration
So, ASSOCIATIONS are for secondary ports, MAPPINGS, are referring to primary ports or primary vlan config.


That made it a bit easier for me to follow i hope it does for you too.

Ok so after configuring your trunks at each end, you should have connectivity from your host to the other end.

Let's check out what's going on in the mac address tables:

On switch 1, which just has a host connected, it is NOT the one with the VLAN 666 SVI Interface, and its only port is a isolated host port:

n5k1# show mac address-table
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 668      00c0.dd1c.4264    dynamic   10         F    F  Eth1/1
* 666      0005.73c1.9f81    dynamic   100        F    F  Eth1/17

 Port 1 is our isolated host, notice it's in vlan 668, and eth1/17 goes to our switch with the SVI interface, and the mac address you can see there (ending in 9f81) is the SVI interface mac address.

Let's look on switch 1:

nk52# show mac address-table
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 666      00c0.dd1c.4264    dynamic   180        F    F  Eth1/17


Interesting! It is showing that this host is actually on VLAN 666, this is because on our end when the traffic comes in, it is tagged as vlan 666, so that we can send traffic to it from our SVI interface!


I hope this clears things up a little, to be honest i can't see many reasons to use a secondary, isolated trunk over the primary trunk, if anyone has any good reasons why please comment below :)

Until next time you stay classy san deigo


Update: (read this after reading post) SO i think I have a better way of describing the trunks, think of it this way:

If you enter this on your trunk port:

  switchport private-vlan mapping trunk 666 667-668

All traffic on the link will be treated as coming from vlan 666, even if it came from vlan 667 and 668
if you say:

  switchport private-vlan association trunk 666 668

All traffic from vlan 666 will be tagged and treated as if coming from vlan 668 even if it came from vlan 666

That model seems to work for me.