Wednesday 6 November 2013

Private VLAN configuration - Brocade

Private VLAN configuration
A private VLAN (PVLAN) is a VLAN that has the properties of standard Layer 2 port-based VLANs but also provides additional control over flooding packets on a VLAN. Figure 90 shows an example of an application using a PVLAN.
FIGURE 90 PVLAN used to secure communication between a workstation and servers
This example uses a PVLAN to secure traffic between hosts and the rest of the network through a firewall. Five ports in this example are members of a PVLAN. The first port (port 3/2) is attached to a firewall. The next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to hosts that rely on the firewall to secure traffic between the hosts and the rest of the network. In this example, two of the hosts (on ports 3/5 and 3/6) are in a community PVLAN, and thus can communicate with one another as well as through the firewall. The other two hosts (on ports 3/9 and 3/10), are in an isolated VLAN and thus can communicate only through the firewall. The two hosts are secured from communicating with one another even though they are in the same VLAN.
By default, unknown-unicast, unregistered multicast, and broadcast are flooded in PVLAN.
By default, on all the FastIron platforms, the device will forward broadcast, unregistered multicast, and unknown unicast packets from outside sources into the PVLAN.
By default, in FastIron FSX platforms , the device will not forward broadcast, unregistered multicast, and unknown unicast packets from outside sources into the PVLAN. If needed, you can override this behavior for broadcast packets, unknown-unicast packets, or both. Refer
You can configure a combination of the following types of PVLANs:
Primary – The primary PVLAN ports are “promiscuous”. They can communicate with all the isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that are mapped to the promiscuous port.
Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the promiscuous ports and switch – switch ports. They are not flooded to other ports in the isolated VLAN.
NOTE: On all devices, however, private VLANs will act as a normal VLAN and will flood unknown destinations, broadcast and multicast traffic to all ports in the VLAN if the primary VLAN does not have the PVLAN mapping that defines the uplink port for the isolated VLAN.
Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
Each PVLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and the rest of the network. The PVLAN can have any combination of community and isolated VLANs.
As with regular VLANs, PVLANs can span multiple switches. The PVLAN is treated like any other VLAN by the PVLAN-trunk ports. The PVLAN-trunk port is added to both the primary and the secondary VLANs as a tagged member through the pvlan-trunk command. Figure 91 shows an example of a PVLAN network across switches:
Broadcast, unknown unicast or unregistered multicast traffic from the primary VLAN port is forwarded to all ports in isolated and community VLANs in both the switches.
Broadcast, unknown unicast or unregistered multicast traffic from an isolated port in switch A is not forwarded to an isolated port in switch A. It will not be forwarded to an isolated port in switch B across the PVLAN-trunk port.
Broadcast, unknown unicast or unregistered multicast traffic from a community port in switch A will be forwarded to a community port in switch B through the PVLAN-trunk port. It is forwarded to the promiscuous ports and switch – switch ports of the primary VLAN.
 
FIGURE 91 PVLAN across switches
Figure 92 shows an example PVLAN network with tagged switch-switch link ports.
FIGURE 92 Example PVLAN network with tagged ports
Table 60 lists the differences between PVLANs and standard VLANs.
 
TABLE 60
Comparison of PVLANs and standard port-based VLANs 
Forwarding behavior
Private VLANs
Standard VLANs
All ports within a VLAN constitute a common layer broadcast domain
No
Yes
Broadcasts and unknown unicasts are forwarded to all the VLAN ports by default
No (isolated VLAN)
Yes (community VLAN)
Yes (Primary)
Yes
Known unicasts
No (isolated VLAN)
Yes (community VLAN)
Yes (Primary)
Yes
Configuration notes for PVLANs and standard VLANs
PVLANs are supported on untagged ports on all FastIron platforms. PVLANs are also supported on tagged ports on devices other than FSX and ICX 6430.
Normally, in any port-based VLAN, the Brocade device floods unknown unicast, unregistered multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may be sent only to the CPU for analysis, based on the IGMP snooping configuration. When protocol or subnet VLANs are enabled, or if PVLAN mappings are enabled, the Brocade device will flood unknown unicast, unregistered multicast, and broadcast packets in software. The flooding of broadcast or unknown unicast from the community or isolated VLANs to other secondary VLANs will be governed by the PVLAN forwarding rules. The switching is done in hardware and thus the CPU does not enforce packet restrictions. The hardware forwarding behavior is supported on the FCX, ICX 6610, ICX 6450, and ICX 6430 platforms.
There is currently no support for IGMP snooping within PVLANs. In order for clients in PVLANs to receive multicast traffic, IGMP snooping must be disabled so that all multicast packets are treated as unregistered packets and are flooded in software to all the ports.
The FastIron forwards all known unicast traffic in hardware. This differs from the way the BigIron implements PVLANs, in that the BigIron uses the CPU to forward packets on the primary VLAN "promiscuous" port. In addition, on the BigIron, support for the hardware forwarding sometimes results in multiple MAC address entries for the same MAC address in the device MAC address table. On the FastIron, multiple MAC entries do not appear in the MAC address table because the FastIron transparently manages multiple MAC entries in hardware.
To configure a PVLAN, configure each of the component VLANs (isolated, community, and public) as a separate port-based VLAN:
-
Use standard VLAN configuration commands to create the VLAN and add ports.
-
Identify the PVLAN type (isolated, community, or public)
-
For the primary VLAN, map the other PVLANs to the ports in the primary VLAN
A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used depends on the PVLAN mappings. Also, secondary VLANs (isolated and community VLANs) can be mapped to one primary VLAN port.
You can configure PVLANs and dual-mode VLAN ports on the same device. However, the dual-mode VLAN ports cannot be members of PVLANs.
VLAN identifiers configured as part of a PVLAN (primary, isolated, or community) should be consistent across the switched network. The same VLAN identifiers cannot be configured as a normal VLAN or a part of any other PVLAN.
Promiscuous and switch-switch link ports are member ports of the primary VLAN only. All switch-switch link ports are tagged ports.
Member ports of isolated and community VLANs cannot be member ports of any other VLAN.
All member ports that are part of the PVLAN (isolated or secondary) will perform VLAN classification based on the PVLAN ID (PVID) only (no VLAN classification by port, protocol, ACL and so on, if any).
PVST, when needed in PVLANs, should be enabled on all (primary and secondary) private VLANs.
Configuring the primary VLAN
To configure a primary VLAN, enter commands such as the following.
Brocade(config)# vlan 7
Brocade(config-vlan-7)# untagged ethernet 3/2
Brocade(config-vlan-7)# pvlan type primary
Brocade(config-vlan-7)# pvlan mapping 901 ethernet 3/2
 
These commands create port-based VLAN 7, add port 3/2 as an untagged port, identify the VLAN as the primary VLAN in a PVLAN, and map the other secondary VLANs to the ports in this VLAN.
To map the secondary VLANs to the primary VLAN and to configure the tagged switch link port, enter commands such as the following.
Brocade(config)# vlan 100
Brocade(config-vlan-100)# tagged ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# untagged ethernet 1/1/4
Brocade(config-vlan-100)# pvlan type primary
Brocade(config-vlan-100)# pvlan mapping 101 ethernet 1/1/4
Brocade(config-vlan-100)# pvlan mapping 102 ethernet 1/1/4
Brocade(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11
 
These commands create port-based VLAN 100, add port 1/1/10 to 1/1/11 as a tagged port, identify the VLAN as the primary VLAN in a PVLAN, map the other secondary VLANs to the ports in this VLAN, and configure the tagged switch link port.
Syntax:
untagged ethernet [stack-unit/slotnum/]portnum [to [stack-unit/slotnum/]portnum | ethernet [stack-unit/slotnum/]portnum]
or
Syntax:
tagged ethernet [stack-unit/slotnum/]portnum [to [stack-unit/slotnum/]portnum | ethernet [stack-unit/slotnum/]portnum]
Syntax:
[no] pvlan type community | isolated | primary
Syntax:
[no] pvlan mapping vlan-id ethernet [stack-unit/slotnum/]portnum
Syntax:
[no] pvlan pvlan-trunk vlan-id ethernet [stack-unit/slotnum/]portnum [to [stack-unit/slotnum/]portnum]
The untagged or tagged command adds the ports to the VLAN.
The pvlan type command specifies that this port-based VLAN is a PVLAN. Specify primary as the type.
The pvlan mapping command identifies the other PVLANs for which this VLAN is the primary. The command also specifies the primary VLAN ports to which you are mapping the other secondary VLANs. The mapping command is not allowed on the secondary VLANs. The parameters of the pvlan mapping command are as follows:
The vlan-id parameter specifies another PVLAN. The other PVLAN you want to specify must already be configured.
The ethernet portnum parameter specifies the primary VLAN port to which you are mapping all the ports in the other PVLAN (the one specified by vlan-id).
The pvlan pvlan-trunk command identifies the switch-switch link for the PVLAN. There can be more than one switch-switch link for a single community VLAN.
Configuring an isolated or community PVLAN
You can use the pvlan type command to configure the PVLAN as an isolated or community PVLAN. The following are some configuration considerations to be noted for configuring isolated and community PVLANs.
Isolated VLANs
A port being added to the isolated VLAN can be either a tagged port or an untagged port.
A member port of an isolated VLAN classifies a frame based on PVID only.
An isolated port (member of an isolated VLAN) communicates only with the promiscuous port, if a promiscuous port is configured.
An isolated VLAN must be associated with the primary VLAN for traffic from the isolated port to be switched. An isolated VLAN is associated with only one primary VLAN and to the same primary VLAN in the entire switched network.
An isolated port communicates only with the configured switch-switch link port if there are no promiscuous ports configured for the isolated VLAN.
A primary VLAN is associated with only one isolated VLAN. An isolated VLAN can only be mapped to a promiscuous port and a switch-switch link port that belong to the same primary VLAN.
Link Aggregation Group (LAG) ports are not allowed as member ports of an isolated VLAN.
Community VLANs
A port being added to the community VLAN can be either a tagged port or an untagged port.
A member port of a community VLAN classifies a frame based on PVID only.
A community VLAN is associated with only one primary VLAN and to the same primary VLAN in the entire switched network. A primary VLAN is associated with multiple community VLANs.
A community VLAN must be associated with the primary VLAN for traffic from the community port to be switched.
LAG ports are not allowed as member ports of a community VLAN.
To configure a community PVLAN, enter commands such as the following.
Brocade(config)# vlan 901
Brocade(config-vlan-901)# untagged ethernet 3/5 to 3/6
Brocade(config-vlan-901)# pvlan type community
 
These commands create port-based VLAN 901, add ports 3/5 and 3/6 to the VLAN as untagged ports, then specify that the VLAN is a community PVLAN.
Syntax:
untagged ethernet [slotnum/]portnum [to [slotnum/]portnum | ethernet [slotnum/]portnum]
or
Syntax:
tagged ethernet [slotnum/]portnum [to [slotnum/]portnum | ethernet [slotnum/]portnum]
Syntax:
[no] pvlan type community isolated primary
The untagged ethernet or taggd ethernet command adds the ports to the VLAN.
The pvlan type command specifies that this port-based VLAN is a PVLAN and can be of the following types:
community – Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN.
primary – The primary PVLAN ports are “promiscuous”. They can communicate with all the isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that are mapped to the promiscuous port.
Changing from one PVLAN type to another (for example, from primary to community or vice versa) is allowed but the mapping will be removed.
Enabling broadcast or unknown unicast traffic to the PVLAN on FSX devices
To enhance PVLAN security, the primary PVLAN does not forward broadcast or unknown unicast packets to its community and isolated VLANs, and other ports in the primary VLAN. For example, if port 3/2 inFigure 90 receives a broadcast packet from the firewall, the port does not forward the packet to the other PVLAN ports (3/5, 3/6, 3/9, and 3/10).
This forwarding restriction does not apply to traffic from the PVLAN. The primary port does forward broadcast and unknown unicast packets that are received from the isolated and community VLANs. For example, if the host on port 3/9 sends an unknown unicast packet, port 3/2 forwards the packet to the firewall.
If you want to remove the forwarding restriction, you can enable the primary port to forward broadcast or unknown unicast traffic, if desired, using the following CLI method. You can enable or disable forwarding of broadcast or unknown unicast packets separately.
NOTE: On Layer 2 switches and Layer 3 switches, you also can use MAC address filters to control the traffic forwarded into and out of the PVLAN. In addition, if you are using a Layer 2 switch, you also can use ACLs.
CLI example for a general PVLAN network
To configure the PVLANs shown in Figure 90, enter the following commands.
Brocade(config)# vlan 901
Brocade(config-vlan-901)# untagged ethernet 3/5 to 3/6
Brocade(config-vlan-901)# pvlan type community
Brocade(config-vlan-901)# exit
Brocade(config)# vlan 902
Brocade(config-vlan-902)# untagged ethernet 3/9 to 3/10
Brocade(config-vlan-902)# pvlan type isolated
Brocade(config-vlan-902)# exit
Brocade(config)# vlan 903
Brocade(config-vlan-903)# untagged ethernet 3/7 to 3/8
Brocade(config-vlan-903)# pvlan type community
Brocade(config-vlan-903)# exit
Brocade(config)# vlan 7
Brocade(config-vlan-7)# untagged ethernet 3/2
Brocade(config-vlan-7)# pvlan type primary
Brocade(config-vlan-7)# pvlan mapping 901 ethernet 3/2
Brocade(config-vlan-7)# pvlan mapping 902 ethernet 3/2
Brocade(config-vlan-7)# pvlan mapping 903 ethernet 3/2
 
CLI example for a PVLAN network with switch-switch
link ports
To configure the PVLANs with tagged switch-switch link ports as shown in Figure 92, enter the following commands.
FCX Switch 1
Brocade(config)# vlan 101 by port
Brocade(config-vlan-101)# untagged ethernet 1/1/3
Brocade(config-vlan-101)# pvlan type isolated
 
Brocade(config)# vlan 102 by port
Brocade(config-vlan-102)# untagged ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-102)# pvlan type community
 
Brocade(config)# vlan 100 by port
Brocade(config-vlan-100)# tagged ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# untagged ethernet 1/1/4
Brocade(config-vlan-100)# pvlan type primary
Brocade(config-vlan-100)# pvlan mapping 101 ethernet 1/1/4
Brocade(config-vlan-100)# pvlan mapping 102 ethernet 1/1/4
Brocade(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11
 
FCX Switch 2
Brocade(config)# vlan 101 by port
Brocade(config-vlan-101)# untagged ethernet 1/1/3
Brocade(config-vlan-101)# pvlan type isolated
 
Brocade(config)# vlan 102 by port
Brocade(config-vlan-102)# untagged ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-102)# pvlan type community
 
Brocade(config)# vlan 100 by port
Brocade(config-vlan-100)# tagged ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan type primary
Brocade(config-vlan-100)# pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11
 
FCX Switch 3
Brocade(config)# vlan 101 by port
Brocade(config-vlan-101)# untagged ethernet 1/1/3
Brocade(config-vlan-101)# pvlan type isolated
 
Brocade(config)# vlan 102 by port
Brocade(config-vlan-102)# untagged ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-102)# pvlan type community
 
Brocade(config)# vlan 100 by port
Brocade(config-vlan-100)# tagged ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan type primary
Brocade(config-vlan-100)# pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11
 
FCX Switch 4
Brocade(config)# vlan 101 by port
Brocade(config-vlan-101)# untagged ethernet 1/1/3
Brocade(config-vlan-101)# pvlan type isolated
 
Brocade(config)# vlan 102 by port
Brocade(config-vlan-102)# untagged ethernet 1/1/1 to 1/1/2
Brocade(config-vlan-102)# pvlan type community
Brocade(config)# vlan 100 by port
Brocade(config-vlan-100)# tagged ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan type primary
Brocade(config-vlan-100)# pvlan pvlan-trunk 102 ethernet 1/1/10 to 1/1/11
Brocade(config-vlan-100)# pvlan pvlan-trunk 101 ethernet 1/1/10 to 1/1/11
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)