Example: Configuring a Private VLAN on a Single Switch
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and even to limit the communication between known hosts. The private VLAN (PVLAN) feature allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN.
This example describes how to create a PVLAN on a single switch:
Requirements
This example uses the following hardware and software components:
- One QFX3500 device
- Junos OS Release 12.1 or later for the QFX Series
Before you begin configuring a PVLAN, make sure you have created and configured the necessary VLANs. See Configuring VLANs.
Overview and Topology
In a large office with multiple buildings and VLANs, you might need to isolate some workgroups or other endpoints for security reasons or to partition the broadcast domain. This configuration example shows a simple topology to illustrate how to create a PVLAN with one primary VLAN and two community VLANs, one for HR and one for finance, as well as two isolated ports—one for the mail server and the other for the backup server.
Table 1 lists the settings for the sample topology.
Table 1: Components of the Topology for Configuring a PVLAN
| Interface | Description |
|---|---|
ge-0/0/0.0 | Primary VLAN (pvlan100) trunk interface |
ge-0/0/11.0 | User 1, HR Community (hr-comm) |
ge-0/0/12.0 | User 2, HR Community (hr-comm) |
ge-0/0/13.0 | User 3, Finance Community (finance-comm) |
ge-0/0/14.0 | User 4, Finance Community (finance-comm) |
ge-0/0/15.0 | Mail server, Isolated (isolated) |
ge-0/0/16.0 | Backup server, Isolated (isolated) |
ge-1/0/0.0 | Primary VLAN (pvlan100) trunk interface |
Configuration
CLI Quick Configuration
To quickly create and configure a PVLAN, copy the following commands and paste them into the switch terminal window:
[edit]set vlans pvlan100 vlan-id 100set interfaces ge-0/0/0 unit 0 family ethernet-switching
port-mode trunkset interfaces ge-0/0/0 unit 0 family ethernet-switching
vlan members pvlanset interfaces ge-1/0/0 unit 0 family ethernet-switching
port-mode trunkset interfaces ge-1/0/0 unit 0 family ethernet-switching
vlan members pvlanset interfaces ge-0/0/11 unit 0 family ethernet-switching
port-mode accessset interfaces ge-0/0/12 unit 0 family ethernet-switching
port-mode accessset interfaces ge-0/0/13 unit 0 family ethernet-switching
port-mode accessset interfaces ge-0/0/14 unit 0 family ethernet-switching
port-mode accessset interfaces ge-0/0/15 unit 0 family ethernet-switching
port-mode accessset interfaces ge-0/0/16 unit 0 family ethernet-switching
port-mode accessset vlans pvlan100 pvlanset vlans pvlan100 interface ge-0/0/0.0set vlans pvlan100 interface ge-1/0/0.0set vlans hr-comm interface ge-0/0/11.0set vlans hr-comm interface ge-0/0/12.0set vlans finance-comm interface ge-0/0/13.0set vlans finance-comm interface ge-0/0/14.0set vlans hr-comm primary-vlan pvlan100set vlans finance-comm primary-vlan pvlan100set pvlan100 interface ge-0/0/15.0 isolated set pvlan100 interface ge-0/0/16.0 isolated Step-by-Step Procedure
To configure the PVLAN:
- Set the VLAN ID for the primary VLAN:
[edit vlans]
user@switch# set pvlan vlan-id 100 - Set the interfaces and port modes:
[edit interfaces]
user@switch# set ge-0/0/0 unit 0 family ethernet-switching port-mode trunkuser@switch# set ge-0/0/0 unit 0 family ethernet-switching vlan members pvlanuser@switch# set ge-1/0/0 unit 0 family ethernet-switching port-mode trunkuser@switch# set ge-1/0/0 unit 0 family ethernet-switching vlan members pvlanuser@switch# set ge-0/0/11 unit 0 family ethernet-switching port-mode accessuser@switch# set ge-0/0/12 unit 0 family ethernet-switching port-mode accessuser@switch# set ge-0/0/13 unit 0 family ethernet-switching port-mode accessuser@switch# set ge-0/0/14 unit 0 family ethernet-switching port-mode accessuser@switch# set ge-0/0/15 unit 0 family ethernet-switching port-mode accessuser@switch# set ge-0/0/16 unit 0 family ethernet-switching port-mode access - Set the primary VLAN to have no local switching:
Note: The primary VLAN must be a tagged VLAN.
[edit vlans]
user@switch# set pvlan100 pvlan - Add the trunk interfaces to the primary VLAN:
[edit vlans]
user@switch# set pvlan100 interface ge-0/0/0.0user@switch# set pvlan100 interface ge-1/0/0.0 - For each secondary VLAN, configure access interfaces:
Note: We recommend that the secondary VLANs be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch.
[edit vlans]
user@switch# set hr-comm interface ge-0/0/11.0user@switch# set hr-comm interface ge-0/0/12.0user@switch# set finance-comm interface ge-0/0/13.0user@switch# set finance-comm interface ge-0/0/14.0 - For each community VLAN, set the primary VLAN:
[edit vlans]
user@switch# set hr-comm primary-vlan pvlan100user@switch# set finance-comm primary-vlan pvlan100 - Configure the isolated interfaces in the primary VLAN:
[edit vlans]
user@switch# set pvlan100 interface ge-0/0/15.0 isolateduser@switch# set pvlan100 interface ge-0/0/16.0 isolated
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That the Private VLAN and Secondary VLANs Were Created
Purpose
Verify that the primary VLAN and secondary VLANs were properly created on the switch.
Action
Use the show vlans command:
user@switch> show vlans pvlan100 extensiveVLAN: pvlan100, Created at: Tue Sep 16 17:59:47 2008
802.1Q Tag: 100, Internal index: 18, Admin State: Enabled, Origin: Static
Private VLAN Mode: Primary
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 6 (Active = 0)
ge-0/0/0.0, tagged, trunk
ge-0/0/11.0, untagged, access
ge-0/0/12.0, untagged, access
ge-0/0/13.0, untagged, access
ge-0/0/14.0, untagged, access
ge-0/0/15.0, untagged, access
ge-0/0/16.0, untagged, access
ge-1/0/0.0, tagged, trunk
Secondary VLANs: Isolated 2, Community 2
Isolated VLANs :
__pvlan_pvlan_ge-0/0/15.0__
__pvlan_pvlan_ge-0/0/16.0__
Community VLANs :
finance-comm
hr-commuser@switch> show vlans hr-comm extensiveVLAN: hr-comm, Created at: Tue Sep 16 17:59:47 2008
Internal index: 22, Admin State: Enabled, Origin: Static
Private VLAN Mode: Community, Primary VLAN: pvlan100
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0)
ge-0/0/0.0, tagged, trunk
ge-0/0/11.0, untagged, access
ge-0/0/12.0, untagged, access
ge-1/0/0.0, tagged, trunkuser@switch> show vlans finance-comm extensiveVLAN: finance-comm, Created at: Tue Sep 16 17:59:47 2008
Internal index: 21, Admin State: Enabled, Origin: Static
Private VLAN Mode: Community, Primary VLAN: pvlan100
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 2 (Active = 0)
ge-0/0/0.0, tagged, trunk
ge-0/0/13.0, untagged, access
ge-0/0/14.0, untagged, access
ge-1/0/0.0, tagged, trunkuser@switch> show vlans __pvlan_pvlan_ge-0/0/15.0__
extensiveVLAN: __pvlan_pvlan_ge-0/0/15.0__, Created at: Tue Sep 16 17:59:47 2008
Internal index: 19, Admin State: Enabled, Origin: Static
Private VLAN Mode: Isolated, Primary VLAN: pvlan100
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0)
ge-0/0/0.0, tagged, trunk
ge-0/0/15.0, untagged, access
ge-1/0/0.0, tagged, trunkuser@switch> show vlans __pvlan_pvlan_ge-0/0/16.0__
extensiveVLAN: __pvlan_pvlan_ge-0/0/16.0__, Created at: Tue Sep 16 17:59:47 2008
Internal index: 20, Admin State: Enabled, Origin: Static
Private VLAN Mode: Isolated, Primary VLAN: pvlan100
Protocol: Port Mode
Number of interfaces: Tagged 2 (Active = 0), Untagged 1 (Active = 0)
ge-0/0/0.0, tagged, trunk
ge-0/0/16.0, untagged, access
ge-1/0/0.0, tagged, trunkMeaning
The output shows that the primary VLAN was created and identifies the interfaces and secondary VLANs associated with it.
