Inter-VLAN Routing vs multiple VLAN inside the same subnet vs private VLAN

This post presents different ways of segmenting and also interconnecting several hosts across your network. For a standard company network, in the most common scenario, you connect your hosts to an edge switch, untag the port for a specific VLAN and do the same for each equipment. This edge switch is connected to an aggregation/core router that will be in charge of inter-VLAN routing. Basically on the router, you configure the LAGs to the edge switches, define authorized VLANs (tagged) on these links and finally create virtual interfaces for each subnet so that hosts from each VLAN can speak together while limiting the spread of L2 broadcasts.

Inter-VLAN Routing

Here is a standard inter-VLAN routing scenario:

On a Brocade FastIron device, the configuration would look like this for the switch:

!
vlan 2 name user_vlan2 by port
tagged ethe 1/1/1
untagged ethe 1/1/2
!
vlan 3 name user_vlan3 by port
tagged ethe 1/1/1
untagged ethe 1/1/3
!
vlan 4 name user_vlan4 by port
tagged ethe 1/1/1
untagged ethe 1/1/4
!

Ports connected to hosts are configured as untagged in a specific VLAN. The uplink (here port 1/1/1) is defined as a tagged port in each VLAN. Thus it can carry traffic from the different VLANs to the router.
The Router configuration looks like this:

!
vlan 2 name user_vlan2 by port
tagged ethe 1/1/1
router-interface ve 2
!
vlan 3 name user_vlan3 by port
tagged ethe 1/1/1
router-interface ve 3
!
vlan 4 name user_vlan4 by port
tagged ethe 1/1/1
router-interface ve 4
!
!
interface ve 2
ip address 192.168.2.1 255.255.255.0
!
interface ve 3
ip address 192.168.3.1 255.255.255.0
!
interface ve 4
ip address 192.168.4.1 255.255.255.0
!

Router interfaces are defined in each VLAN. Then, as soon as the IP addresses for the virtual interfaces are configured, the members of different VLANs can see each other:

FastIronRouter# show ip route
Total number of IP routes: 3 avail: 11997 (out of max 12000)
B:BGP D:Connected R:RIP S:Static O:OSPF *:Candidate default
Destination   NetMask            Gateway Port Cost Type
1  192.168.2.0  255.255.255.0   0.0.0.0    v2   1       D
2  192.168.3.0  255.255.255.0   0.0.0.0    v3   1       D
3  192.168.4.0  255.255.255.0   0.0.0.0    v4   1       D

It’s pretty much the same type of configuration for a Cisco Router/Switch except the fact that we configure a subinterface with Cisco instead of a virtual interface (ve) with Brocade. Then you can create ACLs at virtual interfaces to prevent non desirable traffic. Now imagine that you are a webhosting company that only has a small range of public IP addresses. You don’t want to waste 2 IP addresses per subnet (network and broadcast addresses) for each of your VLAN. Indeed, the previous case implied a subnet per VLAN. In such a case you should configure multiple VLANs inside the same subnet. This way, you still benefit of VLANs advantages (decrease the size of broadcast domains, segment traffic, …) but do not waste your public ip addresses.

Multiple VLAN inside the same subnet

The picture looks almost the same than the previous one. However each host is in the same subnet but in a different VLAN and has the same gateway address.

ip proxy-arp
!
interface ve 2
ip address 192.168.2.1 255.255.255.0
!
interface ve 3
ip follow ve 2
!
interface ve 4
ip follow ve 2
!

All three VLANs now use the same IP subnet. In addition to conserving IP subnet addresses, this feature allows containment of Layer 2 broadcasts to segments within an IP subnet. For ISP environments where the same IP subnet is allocated to different customers, placing each customer in a separate VLAN allows all customers to share the IP subnet address, while at the same time isolating them from one another Layer 2 broadcasts. By default, there is no inter-VLANs communication with ip follow mechanism as opposed to standard inter-VLAN routing. You need to configure ip proxy-arp if you want to enable inter-VLAN communication. Then, the Brocade device will perform proxy Address Resolution Protocol (ARP) for hosts that want to send IP traffic to hosts in other VLANs that are sharing the same IP subnet address. If the source and destination hosts are in the same VLAN, the Brocade device does not need to use ARP.

Private VLAN

Finally, there is still another solution if you’d rather a flat approach. A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port. Two hosts can be secured from communicating with one another even though they are in the same VLAN. There are three types of PVLAN ports:

  • Primary (or Promiscuous or Firewall)— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Let’s first configure such an example. Nothing to do on the router, only at switch level:

!
vlan 7 name private_vlan by port
untagged ethe 1/1/7
pvlan type primary
pvlan mapping 902 ethe 1/1/7
pvlan mapping 901 ethe 1/1/7
!
vlan 901 name community_vlan by port
untagged ethe 1/1/9 to 1/1/10
pvlan type community
!
vlan 902 name isolated_vlan by port
untagged ethe 1/1/11
pvlan type isolated
!
!
pvlan-preference broadcast flood
pvlan-preference unknown-unicast flood
!

VLAN 7 is the private VLAN.  VLAN 902 and 901 are mapped to this VLAN. By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside sources into the private VLAN. The command pvlan-preference changes this default behavior to authorize such traffic and to be able to discover hosts behing the Primary port. Apart from this, you can see that the port 1/1/7 is the Primary port. Community and Isolated VLANs are mapped to this Primary port. The hosts connected to a Community VLAN can talk to each other without going through the Primary port. The hosts connected to an Isolated VLAN can only talk to the Primary port. This type of configuration is really a good way to secure your traffic between the machines while being simple to deploy and maintain.

  1. pavan
    December 13th, 2011 at 12:26
    Reply | Quote | #1

    nice article

  2. Nick
    April 13th, 2012 at 02:30
    Reply | Quote | #2

    I like the article very muh but i cofiguring the pvlans it would have been nice to have shown in the diagran the interfaces to associate with configurations, but was helpful.
    Thank you

  3. umberto
    June 6th, 2012 at 20:07
    Reply | Quote | #3

    This is exactly what I needed. I have industrial equipment that must be at certain ip addresses specify by customer but groups of equipment cannot hear each other broadcasts or it caused problems. So I need to do what you said but wish you had shown commands of cisco ios.

  4. June 30th, 2012 at 20:13
    Reply | Quote | #4

    That is a good piece of work. Thanks, and well done.

  5. September 17th, 2012 at 13:49
    Reply | Quote | #5

    Liked that one. I will visit again. Good creation. Publish more. Faithfull follower.

  6. Michiel Staessen
    October 18th, 2012 at 20:39
    Reply | Quote | #6

    Great article, but do you have any idea how to realize the “Multiple VLAN inside the same subnet” scenario on an ubuntu server/router? I’ve been trying to do that for a while now but I haven’t succeeded so far…

  7. Nico
    January 28th, 2013 at 19:51
    Reply | Quote | #7

    Here’s a question for anyone that knows. Within a private vlan you can configure multiple secondary vlans (community vlans). Is there a way to allow communication between 2 distinct community vlans? It seems to be that this would not be allowed unless the promiscuos port has a proxy arp configured for the source/destination hosts that would allow that communication to boomerang through the promiscous port. Thoughts/Ideas?

  8. Khalid
    May 11th, 2013 at 10:16
    Reply | Quote | #8

    Hi i am working on vdx plz let me know how to configure inter-vlan routing ?

  9. May 11th, 2013 at 16:06
    Reply | Quote | #9

    @Khalid
    Here it is for VDXs. Basically you first move to rbridge-id context, then you can create your virtual interfaces. VE 10 is automatically mapped to VLAN 10. You do not have the same level of flexibility like this is the case on FastIron platform where you can have ve 20 mapped to vlan 10 for example, but at the end of the day almost everyone use the same identifier for VE and VLAN.

    RB10(config)# rbridge-id 10
    RB10(config-rbridge-id-10)# interface ve 10
    RB10(config-Ve-10)# ip addr 192.168.10.253/24
    RB10(config-Ve-10)# no shut
    RB10(config-Ve-10)# int ve 20
    RB10(config-Ve-20)# ip addr 192.168.20.253/24
    RB10(config-Ve-20)# no shut

1 trackbacks

  1. VLANs & Subnets Pingback | 2012/10/31
Comments are closed.