Advanced Private VLAN Configuration on Dell Force10 Switches

In a prior lab, “Dell Force10 Z9000 – Creating Additional Layer 2 Isolation via Private VLANs“, I demonstrated some basics in regards to private VLANs. In this lab, I plan to go a little further and demonstrate how hosts in the same private VLANs (PVLANs) on two different switches can communicate with each other.

In this lab, I use two Dell Force10 Z9000 switches [FTOS 8.3.11.2] for all my PVLAN and trunking configurations. The other switches, I am simply using as end devices with IPs configured on the respective interfaces. These other switches include Dell Force10 S50V [FTOS 8.3.2.0], Dell Force10 S60 [FTOS 8.3.3.7], and Dell Force10 S4810 [FTOS 8.3.10.1].

Below is the network diagram for this lab.

Lab Diagram

Lab Diagram

I only show the configuration for the Z9000’s below since all other devices are simply being used as host nodes. As you can see, interface te 0/8 on both Z9000 switches has the command “switchport mode private-vlan trunk” configured. This command basically means the link will be used as an inter-switch PVLAN hub port.

Force10_Z9000_1

– enable
– conf
– int tengigabitethernet 0/8
– switchport
– switchport mode private-vlan trunk
– no shut
– int tengigabitethernet 0/4
– switchport
– switchport mode private-vlan host
– no shut
– int vlan 2
– private-vlan mode primary
– private-vlan mapping secondary-vlan 10
– private-vlan mapping secondary-vlan 20
– tagged tengigabitethernet 0/8
– ip address 10.0.0.1/24
– no shut
– int vlan 10
– private-vlan mode community
– untagged tengigabitethernet 0/4
– no shut
– int vlan 20
– private-vlan mode community
– no shut
– end
– write

Force10_Z9000_2

– enable
– conf
– int tengigabitethernet 0/8
– switchport
– switchport mode private-vlan trunk
– no shut

– int tengigabitethernet 0/4
– switchport
– switchport mode private-vlan host
– no shut

– int tengigabitethernet 0/5
– switchport
– switchport mode private-vlan host
– no shut

– int vlan 2
– private-vlan mode primary
– private-vlan mapping secondary-vlan 10
– private-vlan mapping secondary-vlan 20
– tagged tengigabitethernet 0/8
– ip address 10.0.0.1/24
– no shut

– int vlan 10
– private-vlan mode community
– untagged tengigabitethernet 0/4
– no shut

– int vlan 20
– private-vlan mode community
– untagged tengigabitethernet 0/5
– no shut
– end
– write

Now that everything is configured, I try pinging both the S60 (10.0.0.4/24) and S4810 (10.0.0.5/24) from the S50V (10.0.0.3/24). Although the S60 is connected to the second Z9000 (Force10_Z9000_2) whereas the S50V is connected to the first Z9000 (Force10_Z9000_1), since we have configured a trunk port to carry the private VLAN traffic, the two switches should be able to ping each other since they reside in the same private VLAN (PVLAN 10).

However, since the S4810 resides in a different private VLAN (PVLAN 20), the S50V and S4810 should not be able to ping each other. As you can see below, this is exactly the case. Further, notice how the S4810 can still ping both Z9000’s (10.0.0.1/24 and 10.0.0.2/24), but not the S50V (10.0.0.3/24).

Pinging from S50V

Pinging from S50V

Pinging from S4810

Pinging from S4810

This entry was posted in Dell Force10, Force10 Networks, Labs, Networking and tagged , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


eight − = 6