First off let’s start out by saying that Isolated VLANs and Private VLANs are two completely different things… they are not at all the same. To a network administrator, this should make perfect sense. However, a Server or Virtualization Administrator may or may not know the different. Because of this, I hear many non-network Administrators toss around the term “Private VLAN“, when they actually mean to say “Isolated Vlan“, or more specifically what they are referring to is a “Non-Routable” VLAN.
What’s confusing is that the networks that we plan to use over our newly commissioned Non-Routable VLANs can correctly be refereed to as Private networks. They are private because no traffic can get in our out without a direct lP link to this network. However the VLANs themselves are not private, just isolated, or non-routable.
I believe that you can see where the confusion comes from.
So allow me to provide a bit of context before we go any further.
In my specific case, I need to create what are commonly (however incorrectly) referred to as Private VLANs to act as a back-end network for an OpenStack deployment. I cannot tell you how often I have heard someone make this mistake. This new VLAN, or network, needs to remain isolated from the outside world, meaning that it does not need to be able to route to any other network, or out to the internet. Rather, this new VLAN needs to send isolated traffic back and forth between network nodes deployed as part of my OpenStack Deployment. What I am describing here is not a “Private VLAN”, it is a “Non-Routable”, or “Isolated VLAN”
So please let’s make sure that we are using the correct terms.
So here is how you do it.
In my case I want to create two isolated VLANS for isolated traffic between my OpenStack nodes. Note that I am using nested virtualization, so my OpenStack nodes are themselves VMs.
First lets create what I will refer to as NR-1 (non-routable-1). We will use the VLAN id 666 as its easy to remember.
s3560#conf t
Enter configuration commands, one per line. End with CNTL/Z.
s3560(config)#vlan 666
s3560(config-vlan)#name NR-1
s3560(config-vlan)#end
Now lets create what I will refer to as NR-2. (non-routable-2)
s3560#conf t
Enter configuration commands, one per line. End with CNTL/Z.
s3560(config)#vlan 667
s3560(config-vlan)#name NR-2
s3560(config-vlan)#end
How lets check out our vlans, starting with 666
s3560#show vlan id 666
VLAN Name Status Ports
—- ——————————– ——— ——————————-
666 NR-1 active…trunc…
Now let’s take a look at 667
s3560#show vlan id 667
VLAN Name Status Ports
—- ——————————– ——— ——————————-
667 NR-2 active…trunc…
Note, that if I wanted to make these VLANs routable, I would need to add a layer3 interface. We are obviously not going to do that here.
Now lets add these new VLANs to our existing virtualization server trunks. We are going to do this to a range of interfaces to save time. Note that I was already allowing VLANS 101-104 and 192 on these trunks.
s3560#conf t
Enter configuration commands, one per line. End with CNTL/Z.
s3560(config)#interface range GigabitEthernet0/15 -18
s3560(config-if-range)#switchport trunk allowed vlan 101-104,192,666,667
s3560(config-if-range)#end
Now don’t forget to save our config.
s3560#copy run start
Destination filename [startup-config]?
Building configuration…
[OK]
0 bytes copied in 1.443 secs (0 bytes/sec)
