Network: VLAN (dot1q, private VLAN PVLAN, port isolation, traffic segmentation, etc), MAC (learning)

Разное

sw2(config)#vlan 999
sw2(config-vlan)#name disabled_NATIVE
sw2(config-vlan)#shutdown
sw2(config-vlan)#end

Switch(config)#vlan 1
Switch(config-vlan)#shutdown 
%Command is only allowed on VLAN 2..1001.

The Wikipedia article you mention gives a succinct explanation:
VLAN identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be used as VLAN identifiers, allowing up to 4,094 VLANs. The reserved value 0x000 indicates that the frame does not carry a VLAN ID; in this case, the 802.1Q tag specifies only a priority and is referred to as a priority tag. On bridges, VID 0x001 (the default VLAN ID) is often reserved for a management VLAN; this is vendor-specific. The VID value 0xFFF is reserved for implementation use; it must not be configured or transmitted. 0xFFF can be used to indicate a wildcard match in management operations or filtering database entries.
As you can see, there isn't really a usable VLAN 0 or 4095. Cisco uses VLAN 1 as a default VLAN, and management protocols (STP, CDP, DTP, etc) are sent on VLAN 1.

• На Cisco Catalyst vlan хранятся только в файле vlan.dat пока не перейдешь в режим vtp transparent, после этого vlan до vid 1005 будут хранится и в vlan.dat и в конфиге, vlan с vid 1006 будут хранится только в конфиге.

• На Cisco catalyst есть возможность превращения свича в тупой хаб для определенного vlan – мне пригождалось когда при генерации трафика опредленного дампа tcpreplay на cisco наблюдались потери (трафик принимается на одном порту, но не форвардится на второй) – в итоге помогло отключение mac learning. Причина проста – ротация mac src/dst в дампе трафика (свич дискрардит трафик в сторону dst mac т.к. этот mac уже выучен на порту приема этого трафика).

  L3850(config)#no mac address-table learning vlan 222
  %Warning: Disabling mac address learning would cause full or partial impact on features which rely upon mac address learning. Most notable of them are Dot1x, port-security, VQPC, flexlink and private vlans. Hence it is not advisable to disable mac learning when these features are configured. Please see configuration guide for additional information.

• На cisco catalyst легко отключается flow control (имеет смысл в другое место перенести). Помогает доказать людям, которые смотрят на счетчики и видят что на один порт пришло много, а на второй мало и говорят, что проблема в коммутаторе (по факту – проблема с получателем, который не справляется с трафиком).

c3850#show interfaces tenGigabitEthernet 1/3 | i flow
input flow-control is off, output flow-control is off
c3850#show interfaces tenGigabitEthernet 1/4 | i flow
input flow-control is off, output flow-control is off

interface TenGigabitEthernet1/3
flowcontrol receive off

Private VLAN

• Traffic segmentation от D-Link – базовая, но достаточная для решения большинства вопросов реализация private vlan. При настройке Traffic Segmentation нужно разрешать как forwarding на downlink порту в сторону uplink, так и forwarding с uplink порта в сторону downlink. Иначе обмен данными будет unidirectional – чаще всего это не то, что требуется.

It is often incorrectly believed that Private VLANs use double tagging on trunks. This belief is supported by the apparent nesting of secondary VLANs inside their associated primary VLAN. In reality, secondary VLANs do not exist “inside” their primary VLAN; rather, they are only associated with it. This association merely indicates that a frame received in a secondary VLAN can be forwarded out promiscuous ports in the associated primary VLAN and vice versa.

interface GigabitEthernet0/21
 switchport protected

In Private VLAN terminology, such ports are called promiscuous ports. A promiscuous port is not associated with any particular secondary VLAN.

Instead, it is associated with the corresponding primary VLAN itself. A device connected to a promiscuous port can communicate with devices in all secondary VLANs associated with this primary VLAN and vice versa.

A device attached to such a port—a router, server, NAS, printer, and so on—would then be accessible by any host in any secondary VLAN under a particular primary VLAN, regardless of the type of the secondary VLAN.

Порт в secondary VLAN может взаимодействовать с любым promiscuous портом primary VLAN (secondary которого является). Режимы secondary vlan:

• isolated vlan – порты в одном private vlan, который настроен как isolated, не могут взаимодействовать ни с кем кроме promiscuous портов.
• community vlan – порты в одном private vlan, который настроен как community, могут взаимодействовать между собой и с promiscuous портами.

A device in a secondary VLAN that is associated with a particular primary VLAN can communicate with any promiscuous port in that primary VLAN. If there are multiple promiscuous ports in the primary VLAN, they can also communicate with each other.

CLI

Private VLAN CONFIG

https://habr.com/ru/post/165195/

Пример конфига для Cisco Cat. 4900. Два порта заизолированы друг от друга (2/10-2/11) в одном private-vlan с аплинком (2/9).

vlan 2
name pvlan2
private-vlan primary
private-vlan association 101
exit

vlan 101
private-vlan isolated
exit

interface GigabitEthernet2/9
description pvlan2-uplink
switchport access vlan 2
switchport private-vlan mapping 2 101
switchport mode private-vlan promiscuous
ip arp inspection trust
exit

interface GigabitEthernet2/10
description pvlan2
switchport access vlan 2
switchport private-vlan host-association 2 101
switchport mode private-vlan host
ip arp inspection trust
exit

interface GigabitEthernet2/11
description pvlan2
switchport access vlan 2
switchport private-vlan host-association 2 101
switchport mode private-vlan host
ip arp inspection trust
end

L3 termination (Cisco Cat. 3550)

AccessSw(config-if)# interface Vlan100
AccessSw(config-if)# private-vlan mapping 101-103,199
AccessSw(config-if)# ip address 192.168.100.254 255.255.255.0

Show

C4900#show interfaces status | i pvlan2
Gi2/9 pvlan2-uplink connected 2 a-full a-1000 10/100/1000-TX
Gi2/10 pvlan2 connected 2,101 a-full a-1000 10/100/1000-TX
Gi2/11 pvlan2 connected 2,101 a-full a-1000 10/100/1000-TX

C4900#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
2 101 isolated Gi2/9, Gi2/10, Gi2/11

C4900#show vlan id 101

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
101 VLAN0101 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
101 enet 100101 1500 - - - - - 0 0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
2 101 isolated Gi2/9, Gi2/10, Gi2/11


C4900#show vlan id 2

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
2 pvlan2 active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2 enet 100002 1500 - - - - - 0 0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
2 101 isolated Gi2/9, Gi2/10, Gi2/11