Private VLANs

Bridging & Switching — By CCIETalk on June 5, 2008 at 2:13 pm

Ok I have spent about 2 hours working with private vlans on 3560s. Just wanted to clear one thing for everyone reading this. Private VLANs are NOT supported on the 3550s. I didn't realize that first up but after searching in the configuration guide, I finally realized that duh - Its not supported. That's another one of those differences between our beloved 3550s and 3560s. Back to the topic, it took me a while to grasp this concept and wanted to write about it so others can benefit from the explaination.

Private VLANs are best suited for a service provider network who can isolate customer VLANs rather than assigning a new VLAN to every customer. Keep in mind that two of the major issues faced by service providers were:

  • If every client was assigned a new VLAN, they would only be able to support 4096 client :) Not a smart business move.
  • Then our already depleted IPV4 space would be further wasted just to pass traffic between clients.

Concept of a private vlan is very basic, take a vlan and subdivide that into many vlans. Each private vlan consists of ONE primary vlan and many secondary vlans.  There are two types of secondary vlans: Isolated or secondary. You can assign many community vlans to a primary VLAN but only ONE isolated VLAN can be assigned to each primary VLAN.

Private VLAN Ports:-

Private VLAN ports can be divided into three types:

Promiscuous Port

  • Promiscuous port belongs to the primary VLAN.
  • Promiscuous port can communicate with all ports that belong to a secondary VLAN (Isolated or Community) as long as they are associated to the same primary VLAN.

Isolated Port

  • An isolated port is a host port that belongs to an isolated secondary VLAN.
  • The host ports that belong to an isolated VLAN can NOT communicate with other ports in the isolated VLAN.
  • Isolated ports can ONLY communicate with the promiscuous ports.

Community Port

  • Community ports belong to a community secondary VLAN.
  • Community ports can communicate with ports in the same community VLAN along with the promiscuous ports.
  • Community ports can NOT communicate with ports in other community VLANs.

 

Tags: , , ,

    3 Comments

  • Mark Willson says:
    August 5, 2008 at 9:26 pm

    Actually I was going to test if the 12.2(44)SE2 release for the 3550 (EMI) *does* support PVLANs. According to the release notes it does. To quote the software advisor:

    Feature Descriptions

    Private VLANs Allows multiple VLANs with layer-2 isolation to exist within a single subnet. Provides security by preventing access to an entire network through a single server; also can save address space. Restrictions include that VTP mode must be set to transparent.

    We’ll see.

  • CCIETalk says:
    August 5, 2008 at 9:29 pm

    Awesome! I hope that also supports IPv6. I am working on QoS right now but I would be really interested to find out. Please keep us posted,

  • CCIETalk says:
    August 5, 2008 at 9:54 pm

    Just read the documentation and this is what I found “Though visible in the command-line interface, the private-vlan command is not supported”

Leave a Reply

You must be logged in to post a comment.

Trackbacks

Leave a Trackback