Private vlans on L2 IOU

I finally managed to get private vlans working in GNS3. Image used was:

Cisco IOS Software, Linux Software (I86BI_LINUXL2-ADVIPSERVICESK9-M), Version 15.2(CML_NIGHTLY_20151103)FLO_DSGS7, EARLY DEPLOYMENT DEVELOPMENT BUILD, synced to FLO_DSGS7_POSTCOLLAPSE_TEAM_TRACK_DSGS_PI5

pvlans_gns3

IOU2 and IOU3 should be in community vlan 1000, while IOU4 in isolated vlan 2000. No switchport commands should be used on IOU2, IOU3, IOU4 to simulate hosts with IP addresses .2, .3, and .4 respectively.

 

Step 1

a) Create vlans,

b) mark them as primary, community, isolated, etc,

c) create association between primary vlan and secondary vlans

Step 2

On ports, set the mode to host or promiscuous and build a host association to mark the port as belonging to a given secondary vlan
Step 3

On the promiscuous port (or SVI), create a mapping to secondary vlans. If it’s an SVI, you put in secondary vlans only (see below difference between promiscuous port 0/7 and SVI 100)

IOU1

vlan 100
name primary
private-vlan primary
private-vlan association 1000,2000
!
vlan 146,600
!
vlan 1000
name community
private-vlan community
!
vlan 2000
name isolated
private-vlan isolated

interface Ethernet0/1
switchport private-vlan host-association 100 1000
switchport mode private-vlan host

interface Ethernet2/1
switchport private-vlan host-association 100 1000
switchport mode private-vlan host

interface ethernet 1/1

switchport private-vlan host-association 100 2000

switchport mode private-vlan host

interface Ethernet7/0
switchport private-vlan mapping 100 1000,2000
switchport mode private-vlan promiscuous

interface Vlan100
ip address 169.254.100.1 255.255.255.0
private-vlan mapping 1000,2000

On IOU 2 and IOU3 I only configured ”no switchport” and IP addresses (.2 and .3 respectively).

Show commands:

show vlan private-vlan

IOU1#show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
100 1000 community Et0/1, Et2/1, Et7/0
100 2000 isolated Et7/0

show int e2/1 switchport:

OU1#show int eth0/1 switchport
Name: Et0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (primary) 1000 (community)
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
100 (primary) 1000 (community)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

while on promiscous port:

IOU1#show int eth7/0 switchport
Name: Et7/0
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (primary) 1000 (community) 2000 (isolated)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
100 (primary) 1000 (community) 2000 (isolated)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Appliance trust: none

debug commands:

debug pm pvlan

Debug produces (on interface shut):

*Oct 20 18:36:31.407: port_remove_pvlan_host_action: Et0/1
*Oct 20 18:36:31.407: port_remove_pvlan_host_vlans: Et0/1 operMode = host
*Oct 20 18:36:31.407: pm_pc_vp_disable_private_vlan: vlan 100
*Oct 20 18:36:31.407: pm_pc_vp_disable_private_vlan: vlan 1000
*Oct 20 18:36:31.407: primary vlan not operational

and on „no shut”:

*Oct 20 18:37:05.002: port_mode_host_action: Et0/1
*Oct 20 18:37:05.002: port_mode_host: Et0/1 operMode = host
*Oct 20 18:37:05.002: pm_pc_vp_enable_private_vlan: 0/1, vlan 1000, type 3
*Oct 20 18:37:05.002: primary vlan not operational
*Oct 20 18:37:05.002: pm_pc_vp_enable_private_vlan: 0/1, vlan 100, type 1
*Oct 20 18:37:05.002: pm_port_link_up_pvlan_host_prom: bring up pvlan host/prom port Et0/1 line

Final result: IOU 2 and IOU 3 (community hosts) can ping each other and IOU 5 (promiscuous). IOU 4 (isolated) can only ping IOU 5.

IOU4#ping 169.254.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.100.2, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
IOU4#ping 169.254.100.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.100.3, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
IOU4#ping 169.254.100.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.100.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

IOU2#ping 255.255.255.255
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:

Reply to request 0 from 169.254.100.5, 3 ms
Reply to request 0 from 169.254.100.3, 3 ms
Reply to request 1 from 169.254.100.5, 5 ms
Reply to request 1 from 169.254.100.3, 5 ms
Reply to request 2 from 169.254.100.5, 3 ms
Reply to request 2 from 169.254.100.3, 3 ms
Reply to request 3 from 169.254.100.5, 2 ms
Reply to request 3 from 169.254.100.3, 2 ms
Reply to request 4 from 169.254.100.5, 5 ms
Reply to request 4 from 169.254.100.3, 5 ms

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s