Cisco IOS Layer2 – Private VLANの設定 | ネットワークチェンジニアとして

Private VLANとは、ひとつのVLANを複数に分割する技術です。このページではPrivate VLANの設定方法についてまとめます。

コマンド一覧
構成図
仕様説明
Private Vlanの作成
1. 設定投入
2. 動作確認
Private Vlan Portの割り当て
1. 設定投入
2. 動作確認
SVIの取り扱い
1. 設定投入
2. 動作確認
Tips
1. 設定が反映されない場合

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Switch(config)#vtp mode transparent

Switch(config)# vlan <vlan_id>
Switch(config-vlan)# private-vlan { primary | community | isolated }

Switch(config)# vlan <primary_vlan_id>
Switch(config-vlan)# private-vlan association <secondary_vlan_list>

Switch(config)# interface <interface>
Switch(config-if)# switchport mode private-vlan {[ host | promiscuous ]}
Switch(config-if)# switchport private-vlan mapping <primary_vlan_id> <secondary_vlan_list>
Switch(config-if)# switchport private-vlan host-association <primary_vlan_id> <secondary_vlan_id>

構成図

以下の構成で動作確認を行います。

         f0/0                                        f0/0
 +--------+.1                                        .2+--------+
 |   R1   +----┐                                ┌----+   R2  | 
 +--------+    │                                │    +--------+
         f0/0  │                                │  f0/0
 +--------+.3  │    +--------+    +--------+    │  .4+--------+
 |   R3   +----┼----+  SW 1  +----+  SW 2  +----┼----+   R4  | 
 +--------+    │    +--------+    +--------+    │    +--------+
         f0/0  │      Vlan10        Vlan10      │  f0/0
 +--------+.5  │192.168.10.7/24  192.168.10.8/24│  .6+--------+
 |   R5   +----┘                                └----+   R6  | 
 +--------+                                            +--------+

                           192.168.10.0/24

 [R1]
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0

 [R2]
interface FastEthernet0/0
 ip address 192.168.10.2 255.255.255.0

 [R3]
interface FastEthernet0/0
 ip address 192.168.10.3 255.255.255.0

 [R4]
interface FastEthernet0/0
 ip address 192.168.10.4 255.255.255.0

 [R5]
interface FastEthernet0/0
 ip address 192.168.10.5 255.255.255.0

 [R6]
interface FastEthernet0/0
 ip address 192.168.10.6 255.255.255.0

 [SW1]
interface range FastEthernet0/1 - 6
 switchport access vlan 10
 switchport mode access
!
interface range FastEthernet0/13 - 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan10
 ip address 192.168.10.7 255.255.255.0

 [SW2]
interface range FastEthernet0/1 - 6
 switchport access vlan 10
 switchport mode access
!
interface range FastEthernet0/13 - 21
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan10
 ip address 192.168.10.8 255.255.255.0

設定全文は下記ファイルです。

!
! Last configuration change at 15:36:54 UTC Tue Oct 16 2012
! NVRAM config last updated at 15:29:28 UTC Tue Oct 16 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
!
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.2 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
!
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end

!
! Last configuration change at 15:30:37 UTC Tue Oct 16 2012
! NVRAM config last updated at 15:30:39 UTC Tue Oct 16 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
!
!
ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
!
!
end

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.4 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.5 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R6
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.6 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous level 0 limit 20
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

SW1

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/14
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/15
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/16
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/19
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/21
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.10.7 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end

SW2

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 10
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/6
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/14
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/15
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/16
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/17
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/19
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/21
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 192.168.10.8 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
 logging synchronous level 0 limit 20
line vty 0 4
 login
line vty 5 15
 login
!
end

仕様説明

Private Vlan

Private VlanはVlanをさらに分割する技術です。Private Vlanには、どのVlanとも疎通可能なPrivate Vlanと特定のVlanのみ疎通可能なSecondary Vlanがあります。Secondary Vlanは、さらにCommunity VlanとIsolated Vlanに分割されます。

Primary Vlan, Community Vlan, Isolated Vlanに属すポートは、それぞれpromiscous port, community port, isolated portと呼ばれます。

vlan	port	説明
Primary Vlan	promiscous port	どのVlanとも疎通可能なVlanです。ひとつのPrivate Vlanに対してPrimary Vlanは1つまで設定できます。
Community Vlan	community port	同一のCommunity VlanとPrimary Vlanに対して疎通可能なVlanです。
Isolated Vlan	isolated port	Primary Vlanに対してのみ疎通可能なVlanです。Isolated Vlanに属すホスト同士は疎通できません。

Private Vlanを使用するには、VTPを無効にする必要があります。まず vtp modeをtransparentにして下さい。

Switch(config)#vtp mode transparent

以下のコマンドで、Private Vlanの種類を定義します。

Switch(config)# vlan <vlan_id>
Switch(config-vlan)# private-vlan { primary | community | isolated }

以下のコマンドで、Primary Vlanと疎通可能なSecondary Vlanを定義します。

Switch(config)# vlan <primary_vlan_id>
Switch(config-vlan)# private-vlan association <secondary_vlan_list>

Private Vlan Port

Primary Vlanに属すpromiscous portは以下のようなコマンドで、Primary VlanとSecondary Vlanの紐付けを行います。

Switch(config)# interface <interface>
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping <primary_vlan_id> <secondary_vlan_list>

Secondary Vlanに属すhost port(community portとisolated port)は、以下のように設定します。

Switch(config)# interface <interface>
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association <primary_vlan_id> <secondary_vlan_id>

SVI

SVIはprimary vlanに対してのみ作成する事ができます。もし、secondary vlanに対してSVIを作成しようとすると以下のようなエラーメッセージが表示されます。

Switch(config)#int vlan 1006
Switch(config-if)#
*Mar  1 00:20:16.314: %PV-6-PV_SVI_DOWN: Vlan 1006's interface remains down because this vlan is a secondary vlan.
*Mar  1 00:20:17.321: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1006, changed state to down
Switch(config-if)#

初期設定の状態では、SVIはprimary vlanとしか疎通する事ができません。もしSVIとsecondary vlan間の通信を実現したいならば、以下のようなコマンドで通信したいsecondary vlanを指定して下さい。

Switch(config)# interface Vlan <num>
Switch(config-if)# private-vlan mapping  <secondary_vlan_list>

Private Vlanの作成

設定投入

SW1, SW2に以下のようなPrivate Vlanを作成します。なお、Private Vlanを作成してから、Primary VlanとSecondary Vlanの紐付け設定を投入して下さい。コマンドの投入順によっては設定が反映されない事もあります。

 [SW1, SW2]
vtp mode transparent
!
vlan 1023
 private-vlan community
vlan 1045
 private-vlan community
vlan 1006
 private-vlan isolated
vlan 10
 private-vlan primary
 private-vlan association 1006,1023,1045

動作確認

以下のようなshowコマンドで想定通りのPrivate Vlanが作成された事を確認します。

SW2#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      1006      isolated
10      1023      community
10      1045      community

SW2#

Private Vlan Portの割り当て

設定投入

以下の表のようにPrivate Vlanとportの紐付けを行います。

Host	Vlan Id	Private Vlan
R1	100	primary vlan
R2	1023	community vlan
R3	1023	community vlan
R4	1045	community vlan
R5	1045	community vlan
R6	1006	isolated vlan

 [SW1]
interface FastEthernet0/1
 no switchport access vlan 10
 switchport private-vlan mapping 10 1023,1045,1006
 switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
 no switchport access vlan 10
 switchport private-vlan host-association 10 1023
 switchport mode private-vlan host
!
interface FastEthernet0/5
 no switchport access vlan 10
 switchport private-vlan host-association 10 1045
 switchport mode private-vlan host

 [SW2]
interface FastEthernet0/2
 no switchport access vlan 10
 switchport private-vlan host-association 10 1023
 switchport mode private-vlan host
!
interface FastEthernet0/4
 no switchport access vlan 10
 switchport private-vlan host-association 10 1045
 switchport mode private-vlan host
!
interface FastEthernet0/6
 no switchport access vlan 10
 switchport private-vlan host-association 10 1006
 switchport mode private-vlan host

動作確認

以下のようなshowコマンドで、Private Vlanとportの紐付けを確認する事ができます。

 [SW1]
SW1#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      1006      isolated          Fa0/1
10      1023      community         Fa0/1, Fa0/3
10      1045      community         Fa0/1, Fa0/5

SW1#

Primary Vlanに属すR1はSVIを含む全ポートと疎通可能である事を確認します。

 [R1]
R1#ping 192.168.10.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.10.255, timeout is 2 seconds:

Reply to request 0 from 192.168.10.5, 4 ms
Reply to request 0 from 192.168.10.8, 4 ms
Reply to request 0 from 192.168.10.2, 4 ms
Reply to request 0 from 192.168.10.3, 4 ms
Reply to request 0 from 192.168.10.7, 4 ms
Reply to request 0 from 192.168.10.6, 4 ms
Reply to request 0 from 192.168.10.4, 4 ms
R1#

Community Vlanに属すR2は、同一CommunityであるR3とPrimary VlanであるR1と疎通可能である事を確認します。

 [R2]
R2#ping 192.168.10.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.10.255, timeout is 2 seconds:

Reply to request 0 from 192.168.10.3, 4 ms
Reply to request 0 from 192.168.10.1, 4 ms
R2#

Isolated Vlanに属すR6は、Primary VlanであるR1と疎通可能である事を確認します。

 [R6]
R6#ping 192.168.10.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.10.255, timeout is 2 seconds:

Reply to request 0 from 192.168.10.1, 1 ms
R6#

SVIの取り扱い

設定投入

SW1 SVI10はvlan 1023と疎通可能なように設定し、SW2 SVI10はvlan 1045と疎通可能なように設定します。

 [SW1]
ip routing
!
interface Vlan10
 private-vlan mapping 1023

 [SW2]
ip routing
!
interface Vlan10
 private-vlan mapping 1045

動作確認

SW1から、primary vlanだけでなく、secondary vlan 1023へ疎通可能になった事を確認します。

 [SW1]
SW1#ping 192.168.10.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.10.255, timeout is 2 seconds:

Reply to request 0 from 192.168.10.8, 1 ms
Reply to request 0 from 192.168.10.1, 9 ms
Reply to request 0 from 192.168.10.2, 9 ms
Reply to request 0 from 192.168.10.3, 1 ms
SW1#

SW2から、primary vlanだけでなく、secondary vlan 1045へ疎通可能になった事を確認します。

 [SW2]
SW2#ping 192.168.10.255 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.10.255, timeout is 2 seconds:

Reply to request 0 from 192.168.10.4, 8 ms
Reply to request 0 from 192.168.10.7, 8 ms
Reply to request 0 from 192.168.10.1, 8 ms
Reply to request 0 from 192.168.10.5, 8 ms
SW2#

Tips

設定が反映されない場合

コマンドの投入順によっては設定が反映されない事もあります。以下はIsolated Vlan 1006がPrimary Vlan 10に紐づいていない例です。

SW1(config-vlan)#do sho vlan private

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      1023      community         Fa0/1, Fa0/3
10      1045      community         Fa0/1, Fa0/5
        1006      isolated

SW1(config-vlan)#exit

このような現象に遭遇した場合は、落ち着いてremove/addしてあげれば設定は反映されます。

SW1(config)#vlan 10
SW1(config-vlan)#private-vlan association remove 1006
SW1(config-vlan)#private-vlan association add 1006
SW1(config-vlan)#do show vlan private

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      1006      isolated
10      1023      community         Fa0/1, Fa0/3
10      1045      community         Fa0/1, Fa0/5

SW1(config-vlan)#