Monday, January 04, 2010

Cisco Nexus OS script for private vlans

There are often times when you need to provide layer 2 isolation for servers that logically make sense to keep on the same subnet. A good example are web servers that reside in a dmz that perform the same function but do not have any reason to communicate with each other, just with the public and the common back end application services they are addressing through a firewall. In this scenerio you could either put each server in a /30 subnet and write specific ACL's for that subnet or simply make use of a larger subnet and utilize private vlans.

The Nexus OS allows you to build out private vlans to perform this function. There are two types of secondary vlans you can create in a private vlan. A secondary vlan is one that is bound behind a primary vlan which is how you can control the behavior of the vlan ports. The two secondary types are community (a port that is in a community can talk to those that are in its community) and isolated (it can only talk to itself.) The primary interface should be a promiscuous port so everyone in a community or isolated port can talk to it. In this situation you can build out as many community and isolated secondary pvlans as you require and simply assign them to a primary vlan that is associated with a specific subnet. There are a couple of items to be aware of, things like multicast applications (those that are participating in multicast have to be in the same community) and some other minor requirements for things like clustering which might require those ports to be promiscuous instead of just in a community.

Here is a short sample script you can use to get started.
! - Nexus 7000 script
! - configuring private vlans
! - enable pvlans feature
feature private-vlan
! - create primary vlan 100
vlan 100
private-vlan primary
! - to confirm that the vlan is a primary do
show vlan private-vlan
! - create a secondary community vlan
vlan 200
private-vlan community
! - create a secondary isolated vlan
vlan 201
private-vlan isolated
! - now associate the secondary vlans with the primary
vlan 100
private-vlan association 200-201
! - to see the pvlan mappings do
sh vlan private-vlan
! - to put a port in a private-vlan do
interface eth1/1
switchport mode private-vlan host
switchport private-vlan host-association 100 201
! - to see the port status do
show interface eth1/1 switchport
! - to set up a promiscuous port
interface eth2/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200-201
! - to see the port status do
show interface eth2/1 switchport
! - to set up an SVI (Layer 3 interface) association
feature interface-vlan
interface vlan 100
private-vlan mapping 200-201
! - to see the state of the vlan interface
show vlan internal vlan-info

That should get things started for a private vlan configuration on a Cisco Nexus platform.
- Ed

1 comment:

Graham said...

Great stuff...
Do you know how to get a private vlan ( isolated vlan ) allowed down a trunk along with other "normal vlans"