Thursday, 25 June 2015

Private VLAN summary

Private VLANs

Allows for the separation of ports into private port groups, while still making use of the same subnet. This is more efficient in terms of IP addressing usage and STP and ACL complexity and of particular use in some shared environments such as Service Provider (SP) data centres where access to common resources on a subnet are required in a secure way.
There are essentially three different port classifications in terms of function. Ports that need to communicate with:
  • all devices
  • each other and with shared devices (e.g. router or web server)
  • ONLY shared devices
Private VLANs are constructed so that there exists a primary VLAN, and one or more secondary VLANs. Each secondary VLAN is mapped to a primary VLAN.

Private VLANs are only supported by VTPv3, so "VTP transparent" mode should be configured if not using VTPv3.

Primary VLANs

Contains promiscuous ports i.e. can send and receive to any other port in the PVLAN including those assigned to secondary VLANs. Devices in this VLAN are likely to include the router L3 gateway, web servers, database servers etc.

Secondary VLANs

Are one of two types Community or Isolated

Community VLANs

  • Ports can talk to other ports in the community and to primary VLAN (promiscuous) ports
  • Each PVLAN has zero or more community VLANs associated with it.

Isolated VLANs

  • Ports can ONLY talk to primary VLAN (promiscuous) ports
  • Each PVLAN has AT MOST ONE isolated VLAN, since only one is required

Private VLAN trunks

Extending Private VLANs across multiple switches is a simple matter; simply use the same VLAN IDs and trunk the VLANs as you would normally. Frames arriving from a port within a Private VLAN (primary or secondary) are tagged with the primary or secondary VLAN tag for transport between switches.

However, there are two special trunk types that are used with Private VLANs:

Promiscuous PVLAN Trunk

This is used when a trunk is carrying traffic for a Primary VLAN, as well as its associated secondaries, and needs to be considered a promiscuous port. It may also be carrying other normal VLANs. In this case, the device on the other end of the trunk is unaware of the relationship between the Private VLANs, and traffic from all secondary VLANs associated with a Primary VLAN is tagged with the Primary VLAN ID. A use case for this scenarios is a "router on a stick" configuration where the gateway interface of a Primary VLAN (on he router) is considered promiscuous and allowed to be communicated with my all associated Secondary VLANs.

The Promiscuous PVLAN Trunk port re-writes secondary VLAN IDs of sent frames into the corresponding primary VLAN ID so that the external device always sees only the primary VLAN. It does not manipulate tags of incoming frames.

Isolated PVLAN Trunk

This is used to extend the isolated VLAN over a trunk carrying multiple VLANs to a switch that does not support Private VLANs but is capable of isolating its own ports e.g. with the port protection feature on entry-level Catalyst switches.

The Isolated PVLAN Trunk re-writes a primary VLAN ID of a sent frame to the ID of the isolated VLAN that is associated with the primary VLAN. It does not manipulate tags of incoming frames.

No comments:

Post a Comment