Proper way of adding another private vlan

  • 0
  • 1
  • Question
  • Updated 6 months ago
  • Answered
  • (Edited)
Hi,

Switch: X670 , 16.1.3.6-patch1-9

Existing configuration looks like this:

create vlan vlan10 tag 10
create vlan net_pvlan1 tag 2
create vlan sub_pvlan1 tag 3
create private-vlan pvlan1
configure private-vlan pvlan1 add network net_pvlan1
configure private-vlan pvlan1 add subscriber sub_pvlan1
configure vlan10 add ports 1, 2, 3 tagged
configure net_pvlan1 add ports 1 untagged
configure sub_pvlan1 add ports 2, 3 untagged

Nothing fancy about it, one regular tagged vlan, and the other untagged with the added benefit that the subscriber ports are isolated.

And physically it is connected as follows:

          +-----------------------+
          |                       |
          |                       |
          |  linux router         |
          |                       |
          +-----------+-----------+
                      | eth0       (terminates net_pvlan1)
                      | eth0.10 (terminates vlan10)
                      |
                      |
                      |
                      |
+---------------------+--------------------+
|                  port 1                  |
|          untagged net_pvlan1             |
|          tagged  vlan10                  |
|                                          |
|                                          |
|                                          |
|  port 2                          port 3  |
+------------------------------------------+
  untagged sub_pvlan1       untagged sub_pvlan1
  tagged   vlan10           tagged   vlan10

Now I wanted to add an additional private-vlan.

Physically it would look like this:

          +-----------------------+
          |                       |
          |                       |
          |  linux router         |
          |                       |
          +-----------+-----------+
                      | eth0       (terminates net_pvlan1)
                      | eth0.10 (terminates vlan10)
                      | eth0.50 (terminates net_pvlan2)
                      |
                      |
                      |
+---------------------+--------------------+
|                  port 1                  |
|          untagged net_pvlan1             |
|          tagged net_pvlan2               |
|          tagged vlan10                   |
|                                          |
|                                          |
|  port 2                          port 3  |
+------------------------------------------+
  untagged sub_pvlan1       untagged sub_pvlan1
  tagged   sub_pvlan2       tagged   sub_pvlan2
  tagged   vlan10           tagged   vlan10

The additional commands that I added to the previous ones are:

create vlan net_pvlan2 tag 5
create vlan sub_pvlan2 tag 50
create private-vlan pvlan2
configure private-vlan pvlan2 add network net_pvlan2
configure private-vlan pvlan2 add subscriber sub_pvlan2
configure vlan net_pvlan2 add ports 1 tagged
configure vlan sub_pvlan2 add ports 2, 3 tagged

Now unfortunately this didn't work for me. According to the documentation unless I use private-vlan translation the vlan that arrives to my linux router should be the one of the subscriber (in this case tag 50). I can see arp entries from devices in vlan 50 on my linux router (the other side doesn't), but neither side can reach each other so obviously something is wrong.

So, I tried using the private-vlan translation instead.

I created eth0.5 interface on my linux router to terminate tag 5. I also removed the net_pvlan2 from port 1 and instead added it with translation to the network vlan (tag 5)

configure vlan net_pvlan2 delete ports 1
configure vlan net_pvlan2 add ports 1 private-vlan translated

To my surprise this has basically killed proper packet forwarding on the ports that involved private-vlans. I could log into the switch. Remove the vlan translation I just added, but the switch wouldn't forward packets properly and was unusable. The only remedy was rebooting the switch so it started with the previous configuration without the last  command above that involved private-vlan translation.

I am wondering. What is the proper way of adding the second isolated private vlan which is tagged? How can I terminate its network vlan on my linux router? I think I exhausted both possible methods.

Thank you.
Photo of Mc Cande

Mc Cande

  • 80 Points 75 badge 2x thumb

Posted 6 months ago

  • 0
  • 1
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,742 Points 10k badge 2x thumb
Hi,

the EXOS configuration without translation looks OK, but the GNU/Linux router configuration does not.

You created a VLAN 50 interface (VLAN ID/tag 50) on the GNU/Linux router, but configured the EXOS switch to use VLAN tag 5 on that link.

You need to use a VLAN 5 Interface (eth0.5) on the GNU/Linux router, because VLAN ID/tag 50 is the subscriber VLAN that prohibits direct communication between ports in this VLAN. All communication needs to go through the network VLAN which uses tag 5.

Thanks,
Erik
Photo of Mc Cande

Mc Cande

  • 80 Points 75 badge 2x thumb
Hi.

In the documentation it states:

"When subscriber VLAN traffic exits a network VLAN port, it can be untagged, tagged (with the
subscriber VLAN tag), or translated (to the network VLAN tag)."

I have spun a GNS3 project with an EXOS 16.1.1 image and can verify it is as stated by the documentation. (It is somewhat buggy in my VirtualBox VM, I can't forward any traffic besides arp requests inside a private vlan, but this is good enough to see which vlan tag is present via tcpdump)

So, if I have configuration like this:

create vlan net_pvlan2 tag 5
create vlan sub_pvlan2 tag 50
create private-vlan pvlan2
configure private-vlan pvlan2 add network net_pvlan2
configure private-vlan pvlan2 add subscriber sub_pvlan2
configure vlan net_pvlan2 add ports 1 tagged
configure vlan sub_pvlan2 add ports 2 tagged

Then traffic in vlan 50 ingressing on port 2 and then egressing on port 1 
will have vlan tag 50.

If the network vlan is added to port 1 with private-vlan translation instead this way:

configure vlan net_pvlan2 add ports 1 private-vlan translated

Then traffic in vlan 50 ingressing on port 2 and then egressing on port 1 
will have vlan tag 5.

So the linux configuration looks OK, but for whatever reason it doesn't work.

For the time being I have created an ACL applied to select ports on ingress that somewhat provides similar isolation as the private vlan I wanted to add. (It is of course neither elegant nor complete as a private vlan would be)

entry permit_arp_gateway {
  if {
    vlan-id 50;
    arp-target-address 10.50.0.1/32;
  } then {
    permit;
  }
}

entry deny_arp_rest {
  if {
    vlan-id 50;
    arp-target-address 0.0.0.0/0;
  } then {
    deny;
  }
}

entry permit_gateway {
  if {
    vlan-id 50;
    destination-address 10.50.0.1/32;
  } then {
    permit;
  }
}

entry deny_subnet {
  if {
    vlan-id 50;
    destination-address 10.50.0.0/24;
  } then {
    deny;
  }
}

entry deny_broadcast {
  if {
    vlan-id 50;
    destination-address 255.255.255.255/32;
  } then {
    deny;
  }
}

entry permit_rest {
  if {
    vlan-id 50;
    destination-address 0.0.0.0/0;
  } then {
    permit;
  }
}

entry deny_everything {
  if {
    vlan-id 50;
  } then {
    deny;
  }
}

Anyway I think I might have hit a bug in the OS/SWITCH when adding the second private vlan on top of the existing one (hence why it doesn't work, or even breaks forwarding when added as private-vlan translated) so I am a bit hesistant to try it again on a live switch to not to have to reboot again.
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,742 Points 10k badge 2x thumb
Hi,

I have recreated your setup using an X460 switch for private VLANs, and X460/X460-G2 switches as "router" and "clients," and can confirm your findings:
  1. Adding the second private VLAN does not work, i.e. no data traffic (ping) in this VLAN.
  2. Enabling VLAN translation for the "router" port in pvlan2 results in broken connectivity for pvlan1 (but pvlan2 works)
I could create a working configuration by using VLAN translation on the network port for both private VLANs and using tagged interfaces (VLAN tags 2 & 5) on the "router."
configure vlan net_pvlan1 add ports 6 private-vlan translated
configure vlan net_pvlan2 add ports 6 private-vlan translated 
(Edit: I have been using port 6 (instead of 1) to connect the private VLAN switch to the "router," as that was already available in our lab; the two "client" switches are connected using ports 13 (instead of 2) & 15 (instead of 3))

You could open a case with Extreme Networks to find out if this is considered a bug or not, and thus have this information added to GTAC Knowledge, if you like.

Thanks,
Erik
(Edited)