VMware Knowledge Base article 1010691 defines
a Private VLAN as “an extension to the VLAN standard which adds a
further segmentation of the logical broadcast domain, to create
‘Private’ groups”. VMware Knowledge Base article 1010703 details
how to configure PVLANs on a distributed switch. The intention of
this document is to explain how Private VLANs (PVLANs) may prove
useful.
To fully appreciate PVLANs we need to review
our understanding of virtual LANs (VLANs).
Early Ethernet switches supported just 1 LAN
with 1 broadcast domain and 1 MAC address table. Today switches
support multiple LANs call VLANs, each being a separate broadcast
domain each with its own MAC address table.
A physical or virtual NIC card connects to a
single port in a single VLAN and has communication restricted to
other machines in that VLAN. This means that machines in different
VLAN are secure from each other. Network traffic in one VLAN cannot
reach other VLANs unless layer 3 switching or routing is configured
with the benefit that failures, congestion and broadcasts are
contained inside each VLAN. Effectively each VLAN represents
a closed user group.
It is common practice for companies to create
VLANs by business function, for instance to ensure that the finance
department can’t communicate with the engineering department unless
suitable routing is configured. In recent years companies
have aligned VLANs by business function and media type leading to
voice, data and video VLANs sharing the same physical
infrastructure but ensuring security between each media type.
A PVLAN is a VLAN within a VLAN. It comprises
secondary (community) VLAN numbers that are associated with primary
VLAN numbers. A NIC card can be connected to a Promiscuous,
Isolated or Community PVLAN port. Promiscuous ports can communicate
with all other ports in the primary VLAN. Isolated ports can
only communicate with promiscuous ports and community ports can
only talk to other port in the same community VLAN and promiscuous
ports.
VLANs can span switches through the use of
802.1Q trunk ports which tag the ethernet frame with the VLAN
number. Each VLAN primary or secondary must have a unique
number. If the frame originates from a community VLAN then it
is this number which is used as the 802.1Q tag when the frame is
passed to another switch to ensure that the correct MAC address
table is consulted.
How is this helpful?
Any situation where you wish to limit
communication within a user group is a candidate for PVLANs.
Modern networks are divided by IP subnets with each subnet aligned
with a primary VLAN. PVLANs can limit connectivity within a
subnet.
Examples of their use can be seen in web
hosting companies, hotels and training centres.
A web hosting company hosts multiple web sites
for multiple client companies through shared internet feeds.
PVLANs would have the internet feed on a promiscuous port with
individual web servers connected in community VLANs aligned by
client company.
A hotel may assign IP subnets per floor and route between each
floor. They may consider giving each room an isolated port to
prevent room-to-room communication and have the routed port
promiscuous.
A training centre may have each classroom
assigned its own subnet, but may wish individual student machines
to be isolated or work in groups (communities). All students
may need access to the internet via the routed (promiscuous) port
in each classroom.
Although PVLANs have existed in physical
switches for many years their use has been limited as it is often
simpler to reduce the size of each subnet and layer 3 switch or
route between subnets where required. Physical networks have
also benefited from VRF configuration which allows for layer 3 user
groups.
In the virtual world this would require layer
3 virtual switches such as the Nexus 1000V. Use of virtual
PVLANs configured in distributed switches will provide a cheaper
alternative if the additional features of the Nexus 1000v are not
required.