Dell Force10 Z9000 – Creating Additional Layer 2 Isolation via Private VLANs

Private VLANs provide additional segregation capabilities within a VLAN. A private VLAN provides further layer 2 isolation between ports. A common example of private VLAN use is a hotel providing Internet access for patrons while at the same time preventing direct access between guest ports. Instead of using private VLANs, you can create a separate VLAN and assign a separate IP subnet to each guest as shown below.

Segregating Traffic Without Private VLANs

As you can see from the above, this is not an elegant solution as you are wasting both VLAN IDs and IP address space. A more elegant solution would be to use private VLANs as shown below.

Segregating Traffic With Private VLANs

In this lab I will be using two Dell Force10 Z9000 switches [FTOS 8.3.11.2] and a Dell Force10 S50V switch [FTOS 8.3.2.0] to demonstrate the concept of private VLANs. Below is the network diagram for this lab.

Lab Network Diagram

The Dell Force10 Z9000 switch has thirty-two 40-gigabit ports, however, you can convert a 40-gigabit port to four 10-gigabit ports. If you are using other switches with only 10-gig ports, you will need a 40-gig to four 10-gig breakout cable. To convert the 40-gig port to four 10-gig ports you need to enter the “stack-unit [stack #] port [interface #] portmode quad” command in config mode. You will also need to reload the switch for the changes to take effect. In this lab I have already converted the 40-gig ports to 10-gig ports as I will be using only 10-gig ports.

Below is the configuration I used for the top Force10 Z9000 with the private VLANs. The other switches are basically just being used as end devices with IPs configured on their respective interfaces.

On the top Z9000 switch, I configure VLAN 2 as the “primary VLAN”. A primary VLAN can have one or more secondary VLANs. Interestingly, a primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs available on the switch.

I configure both ports connecting to the other switches as “host ports”. When using private VLANs, host ports are ports in a secondary VLAN. After designating the ports as host ports, I assign them to their respective secondary VLANs which I configured as “community VLANs”.

There are two types of secondary VLANs – community VLANs and isolated VLANs. Ports in a community VLAN can communicate with each other and all promiscuous ports in the primary VLAN; it can only contain ports configured as hosts. Isolated VLANs contain ports that cannot directly talk to each other; the contained ports can only communicate with promiscuous ports in the primary VLAN. Similarly, an isolated VLAN can only contain ports configured as hosts. A “promiscuous port” is a port that is allowed to communicate with any other port type in the private VLAN.

– enable
– conf
– int tengigabitethernet 0/8
– switchport
– switchport mode private-vlan host
– no shut
– int tengigabitethernet 0/4
– switchport
– switchport mode private-vlan host
– no shut
– int vlan 2
– private-vlan mode primary
– private-vlan mapping secondary-vlan 10
– private-vlan mapping secondary-vlan 20
– ip address 10.0.0.1/24
– no shut
– int vlan 10
– private-vlan mode community
– untagged tengigabitethernet 0/4
– no shut
– int vlan 20
– private-vlan mode community
– untagged tengigabitethernet 0/8
– no shut

– end
– write

As you can see from the below, from the Force10 S50V switch I am able to ping the gateway at 10.0.0.1/24 but I am not able to ping the interface of the second Z9000 (10.0.0.2/24) which is in the same primary VLAN (VLAN 2). This is a simple lab that demonstrates this additional layer 2 segregation via private VLANs. If I wanted to enable layer 3 communication between secondary VLANs, I could enter the “ip local-proxy-arp” command in the VLAN 2 configuration on the top Z9000 switch; this would cause the below ping to 10.0.0.2/24 to succeed.

Private VLAN ping test