I was browsing through the different CCIE blogs and saw this great posting @ IE’s blog. I think many CCIE students have hard time understanding Private VLANs and Petr did a great job explaining them.
“What Private VLANs (PVANs) do, is they split the domain into multiple isolated broadcast subdomains. It’s a nesting concept – subVLANs inside a VLAN. Next, as we know, Ethernet VLANs are not allowed to communicate directly with each other – they require a L3 device to forward packets between broadcast domains. The same concept applies to PVLANS – since the subdomains are isolated at level 2, they need to communicate using an upper level (L3/packet forwarding) entity – such as router. However, there is difference here. Regular VLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but now they need to use a router (L3 device) to talk to each other (for example, by using local Proxy ARP). In turn, router may either permit or forbid communications between sub-VLANs using access-lists. Why would anyone need Private VLANs? Commonly, this kind of configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.”
About CCIETalk
Connect with Us