Big Picture
Private VLANs allows an IP subnet to be used among different
subset VLANs. It is categorized by a primary VLAN which is a regular VLAN
configured to hold the secondary VLAN subsets. PVLAN design is used mostly in
ISPs to separate customers from each other as it helps save addressing space in
the LAN.
Another scenario a private VLAN may be is that a branch
office in City A is given one Subnet IP. Private VLAN can be used to take this
subnet IP and provide addresses to the secondary VLAN subsets.
What makes up the
Private VLAN?
The Private VLAN is made up of the primary VLAN and
secondary VLAN. An IP subnet is given to the primary VLAN which is shared with
the secondary VLAN (subsets of the primary VLAN). As it is divided with the
secondary VLAN, depending on the configuration, ports of the same subnet may
not be able to talk to ports.
In the secondary VLAN, there are three main ideas:
1.
Community Group – This group allows all ports
within this group to communicate with each other. Many community groups can be
made in a secondary VLAN. But one community group cannot crossover with other
community groups to communicate. The only way to get outside communication is
to go through the promiscuous port.
2.
Isolated Group – There is only one allowed
isolated group in a secondary VLAN. All ports in this group are not allowed to
communicate to each other. If it needs to talk to the outside world, it will go
through the promiscuous port.
3.
Promiscuous Port – It is called such due to the
willing nature of the port to communicate to all ports. That means it will talk
to the Isolated, and Community Group, as well as the outside world. Usually the
Promiscuous Port is connected to a default gateway, which will know how to send
the traffic.
If the Private VLAN is configured correctly, this will allow
a proper IP subnet addressing; additionally it’ll provide the functionality of
privacy in a community, or for isolated individuals.
No comments:
Post a Comment