pvlan
PVLAN(Private VLAN,私有VLAN),是对现有vlan行为的一个安全/性能的加强版,转发行为和传统的vlan有所不同,下面先对pvlan中的一些术语做一下介绍:
概念
-
PVLAN: 由一组VLAN集构成,包括1个Primary VLAN和其对应的一个或多个Secondary VLAN。
-
Primary VLAN: 主vlan,上行设备感知的用户VLAN。
-
Secondary VLAN: 从vlan,用户真正属于的VLAN,Secondary VLAN有两种类型:
- Community:同一Secondary VLAN的终端
可以互通,不同Secondary VLAN的终端无法互通,可以和Primary VLAN终端互通; - Isolated:同一Secondary VLAN的终端
无法互通,不同Secondary VLAN的终端无法互通,可以和Primary VLAN终端互通; - 如下图,Primary VLAN 100,Secondary VLAN101 community,102 isolated
- Community:同一Secondary VLAN的终端
-
接口工作模式:
- host:可以理解为Secondary VLAN的access接口;
- Promiscuous:可以理解为Primary VLAN的access接口;
- Trunk promiscuous:可以理解为Primary VLAN的Trunk接口,但仅能包含一个或多个Primary VLAN,不能包含Secondary VLAN。
- Trunk secondary:可以理解为Secondary VLAN的truhk接口,仅能包含不同pvlan的一个或多个secondary vlan,同一pvlan下的不同Secondary VLAN是不能同时包含的。
- Trunk:这个其实不是pvlan专用接口,就是正常802.1Q trunk。转发方式和正常trunk一样,在这里提一下,通常用于两个支持PVLAN的交换机互联;
-
PVLAN L3域: 在Primary VLAN接口上指定三层互通的Secondary VLAN,配置Primary VLAN接口的IP地址及开启本地代理ARP(Address Resolution Protocol,地址解析协议)/ND(Neighbor Discovery,邻居发现)功能可以建立PVLAN L3域。其中三层互通的Secondary VLAN被认为加入了该PVLAN L3域,这些Secondary VLAN共用Primary VLAN接口作为网关;这个功能其实和Super Vlan很像。
配置实例
两台交换机使用trunk连接,建立2个pvlan分别使用不同接口模式连接终端。
- V100 Primary
- V101 Secondary Community
- V102 Secondary Isolated
- V200 Primary
- V201 Secondary Community
- V202 Secondary Isolated
此配置使用物理机交换机,设备型号为H3C-S6520X-EI 固件版本为Version 7.1.070, Release 6652P02;内侧的/17等编号为交换机物理接口编号,V101为接入的vlan/pvlan,最外侧使用虚线连接的为终端。
接入配置
#本命令基于s6520x-cmw710-system-r6652p02
#SW1
vlan 100
vlan 101
vlan 102
vlan 200
vlan 201
vlan 202
vlan 100
private-vlan primary
private-vlan secondary 101 to 102
#
vlan 101
private-vlan community
#
vlan 102
private-vlan isolated
#
vlan 200
private-vlan primary
private-vlan secondary 201 to 202
#
vlan 201
private-vlan community
#
vlan 202
private-vlan isolated
#
interface Ten-GigabitEthernet1/0/13
port link-mode bridge
description T1
#实际命令为如下两条,其余皆为自动替换或自动生成
#13~16口类似不在重复注释
#port access vlan 101
#port private-vlan host
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 to 101 untagged
port hybrid pvid vlan 101
port private-vlan host
#
interface Ten-GigabitEthernet1/0/14
port link-mode bridge
description T2
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 102 untagged
port hybrid pvid vlan 102
port private-vlan host
#
interface Ten-GigabitEthernet1/0/15
port link-mode bridge
description T3
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 to 201 untagged
port hybrid pvid vlan 201
port private-vlan host
#
interface Ten-GigabitEthernet1/0/16
port link-mode bridge
description T4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 202 untagged
port hybrid pvid vlan 202
port private-vlan host
#
interface Ten-GigabitEthernet1/0/17
port link-mode bridge
description T9&T10
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 101 202 trunk secondary
port link-type hybrid
port hybrid vlan 100 to 101 200 202 tagged
port hybrid vlan 1 untagged
port private-vlan 101 202 trunk secondary
#
interface Ten-GigabitEthernet1/0/18
port link-mode bridge
description T101
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 100 promiscuous
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 to 102 untagged
port hybrid pvid vlan 100
port private-vlan 100 promiscuous
#
interface Ten-GigabitEthernet1/0/19
port link-mode bridge
description T103&T104
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 100 200 trunk promiscuous
port link-type hybrid
port hybrid vlan 100 to 102 200 to 202 tagged
port hybrid vlan 1 untagged
port private-vlan 100 200 trunk promiscuous
#
interface Ten-GigabitEthernet1/0/48
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
#############
#SW2
vlan 100
vlan 101
vlan 102
vlan 200
vlan 201
vlan 202
vlan 100
private-vlan primary
private-vlan secondary 101 to 102
#
vlan 101
private-vlan community
#
vlan 102
private-vlan isolated
#
vlan 200
private-vlan primary
private-vlan secondary 201 to 202
#
vlan 201
private-vlan community
#
vlan 202
private-vlan isolated
#
interface Ten-GigabitEthernet1/0/13
port link-mode bridge
description T5
#实际命令为如下两条,其余皆为自动替换或自动生成
#13~16口类似不在重复注释
#port access vlan 101
#port private-vlan host
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 to 101 untagged
port hybrid pvid vlan 101
port private-vlan host
#
interface Ten-GigabitEthernet1/0/14
port link-mode bridge
description T6
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 100 102 untagged
port hybrid pvid vlan 102
port private-vlan host
#
interface Ten-GigabitEthernet1/0/15
port link-mode bridge
description T7
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 to 201 untagged
port hybrid pvid vlan 201
port private-vlan host
#
interface Ten-GigabitEthernet1/0/16
port link-mode bridge
description T8
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 202 untagged
port hybrid pvid vlan 202
port private-vlan host
#
interface Ten-GigabitEthernet1/0/17
port link-mode bridge
description T11&T12
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 102 201 trunk secondary
port link-type hybrid
port hybrid vlan 100 102 200 to 201 tagged
port hybrid vlan 1 untagged
port private-vlan 102 201 trunk secondary
#
interface Ten-GigabitEthernet1/0/18
port link-mode bridge
description T102
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 200 promiscuous
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 200 to 202 untagged
port hybrid pvid vlan 200
port private-vlan 200 promiscuous
#
interface Ten-GigabitEthernet1/0/19
port link-mode bridge
description T105&T106
#实际命令仅为如下一条,其余为自动生成
#port private-vlan 100 200 trunk promiscuous
port link-type hybrid
port hybrid vlan 100 to 102 200 to 202 tagged
port hybrid vlan 1 untagged
port private-vlan 100 200 trunk promiscuous
#
interface Ten-GigabitEthernet1/0/48
port link-mode bridge
port link-type trunk
port trunk permit vlan all
#
测试互通结果;√:互通 ×:不互通
PVLAN100
| - | T1 | T2 | T5 | T6 | T9 | T11 | T101 | T103 | T105 |
|---|---|---|---|---|---|---|---|---|---|
| T1 | - | × | √ | × | √ | × | √ | √ | √ |
| T2 | × | - | × | × | × | × | √ | √ | √ |
| T5 | √ | × | - | × | √ | × | √ | √ | √ |
| T6 | × | × | × | - | × | × | √ | √ | √ |
| T9 | √ | × | √ | × | - | × | √ | √ | √ |
| T11 | × | × | × | × | × | - | √ | √ | √ |
| T101 | √ | √ | √ | √ | √ | √ | - | √ | √ |
| T103 | √ | √ | √ | √ | √ | √ | √ | - | √ |
| T105 | √ | √ | √ | √ | √ | √ | √ | √ | - |
PVLAN 200
| - | T3 | T4 | T7 | T8 | T10 | T12 | T102 | T104 | T106 |
|---|---|---|---|---|---|---|---|---|---|
| T3 | - | × | √ | × | √ | × | √ | √ | √ |
| T4 | × | - | × | × | × | × | √ | √ | √ |
| T7 | √ | × | - | × | √ | × | √ | √ | √ |
| T8 | × | × | × | - | × | × | √ | √ | √ |
| T10 | × | × | × | × | × | - | √ | √ | √ |
| T12 | √ | × | √ | × | - | × | √ | √ | √ |
| T102 | √ | √ | √ | √ | √ | √ | - | √ | √ |
| T104 | √ | √ | √ | √ | √ | √ | √ | - | √ |
| T106 | √ | √ | √ | √ | √ | √ | √ | √ | - |
PVLAN L3域配置
如果想实现控制广播域大小,实现二层隔离三层互访的效果可以使用PVLAN L3域功能,此功能和super vlan类似,我没有考证过这两个功能哪个先产生不知道是否有借鉴;三层互访的原理就是使用vlanif 开启arp代理,代理响应不同secondary vlan中的arp请求,配置相对简单,比如使上例中的V101和V102可以三层互访,配置如下:
#由于两交换机间使用trunk互通,下面配置在任意一个交换机上配置均可
interface Vlan-interface100
private-vlan secondary 101 to 102
ip address 192.168.1.254 255.255.255.0
local-proxy-arp enable #ipv4 arp代理
local-proxy-nd enable #ipv6 nd代理
以上配置使得v101可以和v102三层相互通信,二层隔离,跨secondary vlan访问的arp 均为vlanif的mac地址,如下:
经测试isolated vlan内的终端也可以互访了,同样使由vlanif100代理arp。
其他
- 端口隔离:很多交换机不支持pvlan,但是支持端口隔离,这可以理解为简化版的pvlan isolated,在常规vlan的接入口上配置port-isolate,表现出的行为是:隔离端口仅能和vlan内的非隔离端口进行二层通信。
注意
-
pvlan的vlan从属关系通过hybrid接口实现,主从端口通信时回包会发生vlan转换,当通过trunk多交换机互联的时候配置不当会导致问题;如下图,互联trunk接口上抓包,流量的往返其实走的不是同一个vlan;因此跨交换机主从端口互访时,trunk相应的primary/secondary vlan都需要放行。
-
当vlan属于pvlan时候,无论primary还时secondary,连接终端时应使用使用pvlan的接入方式(即:四种接入模式),否则会导致无法正常通信。同样是由于上面原因,回包的vlan转换需要在hybrid接口实现。
当然如果非要使用常规access或者trunk对接终端也不是不可以,前提是你知道自己在做什么。
-
pvlan的trunk接入侧(即上图中/17接口 或 /19接口所连接的设备)无需感知pvlan和primary vlan,做常规trunk即可(放行 vlan 应该是secondary 的 vlan id)。