CCNP learning path PVLAN (Private vlan)

CCNP learning path PVLAN (Private vlan)

In the concept of PVLAN, there are three types of switch ports: Isolated port, Community port, and Promiscuous port ). They correspond to different VLAN types: Isolated ports belong to Isolated PVLAN, while Community ports belong to Community PVLAN. The Private VLAN represents the Primary VLAN as a whole, the first two VLANs must be bound with them. Www.2cto.com
In PVLAN, the communication principle is as follows: Isolated port can only communicate with Promiscuous port, but cannot exchange communication streams with each other. In Community PVLAN, Community port can not only communicate with Promiscuous port, in addition, the Promiscuous port can exchange communication streams with each other. The Promiscuous port is connected to the vro or layer-3 switch interface, and the communication streams it receives can be sent to the Isolated port and Community port.
PVLAN solves two problems that the service provider encounters when using VLAN:
The n switch supports a maximum of 4096 VLANs. To assign a VLAN to each customer, the number of VLANs that the service provider can provide to the customer is limited.
N to enable IP routing, each VLAN needs to allocate a subnet space or an address block, which will cause IP address waste and IP address management problems.
Using private VLANs can solve scalability problems, provide IP address management benefits for service providers, and provide layer-2 security for clients.
The PVLAN function divides a L2 VLAN broadcast domain into multiple subdomains. A subdomain includes a pair of PVLAN: a primary VLAN and a secondary VLAN ). One PVLAN domain can have multiple PVLAN pairs, one for each subdomain. The PVLAN pairs in all subdomains in the pvlan domain share the same primary VLAN, but the slave VLAN IDs in each subdomain are different. 8-3. The PVLAN includes two subdomains, each of which has its own slave VLAN (in the figure, "Secondary community VLAN" and "Secondary isolated VLAN "), and share the same Primary VLAN (Primary VLAN ).


Figure 8-3 PVLAN example
A pvlan domain has only one Primary VLAN (Primary VLAN ). Each port in a PVLAN domain is a member of the primary VLAN. That is to say, the main VLAN is the entire PVLAN domain. The Secondary VLAN provides layer-2 isolation between ports in the same PVLAN domain. There are two types of slave VLANs:
N Isolated VLAN (Isolated VLAN): ports in the Isolated VLAN cannot communicate with other L2 ports.
N public VLAN: a port in a public VLAN can communicate with other L2 ports in the same public VLAN, but cannot communicate with the L2 ports in other public VLANs.
 

As described above, PVLAN has the following three types of ports:
Promiscuous port: A hybrid port belongs to the primary VLAN and can communicate with all interfaces, including the host ports associated with the primary VLAN in the common and isolated VLAN.
N isolation port: an isolation port is a host port in the isolation VLAN (that is, a port that can only be connected to the host ). This port is fully isolated from other ports in the same PVLAN domain, except for the hybrid port. However, PVLAN prevents all communication from reaching the isolation port from the hybrid port. The communication received from the isolation port can only be forwarded to the hybrid port.
N common port: A common port is a host port of a public VLAN. A common port can communicate with other ports in the same public VLAN. These interfaces are layer-2 isolated from all interfaces on other public VLANs and other isolation ports in the same PVLAN.
[Note] Because relay supports VLAN communication between isolated, common, and hybrid ports, isolation and communication between common ports may access or exit the switch through the relay port.
Corresponding to the three ports, there are three different VLAN types in the PVLAN: The Primary VLAN, the Isolated VLAN (Isolated VLAN), and the public VLAN (Community VLAN) three VLANs. The last two VLANs belong to the Secondary VLAN ).
The master VLAN and two types of slave VLAN have the following features:
N primary VLAN: The primary VLAN carries one-way communication from the hybrid port to the isolated and common host ports, and to other hybrid ports.
N isolated VLAN: Only one isolated VLAN exists in a PVLAN domain. An isolated VLAN is a slave VLAN that carries one-way communication from the host to the hybrid port and the gateway.
N public VLAN: A Public VLAN is a slave VLAN that carries one-way communication from a common port to a hybrid port, a gateway, and other host ports in the same public VLAN.
A hybrid port can only serve one primary VLAN, one isolated VLAN, and multiple public VLANs. A layer-3 gateway is typically directly connected to a vswitch through a hybrid port. A hybrid port allows you to connect a wide range of devices as PVLAN access points. For example, you can use a hybrid port to monitor or back up all PVLAN servers on a workstation.
In an exchange environment, you can assign a specific PVLAN and associated IP subnet to each individual or public terminal site group. The terminal site only needs to communicate with a default gateway that connects to the external PVLAN.
 

You can use PVLAN to control access to the terminal site:
N configure the interface connecting to the terminal site as an isolated port to prevent any layer-2 communication. For example, if the terminal site is a server, this configuration prevents layer-2 communication between servers.
N configure the interface connecting to the default gateway and the selected terminal site (such as the backup server) as a hybrid port to allow all terminal sites to access the default gateway.
You can extend the PVLAN through multiple devices by trunk the master, isolation, and VLAN to other devices that support PVLAN. To maintain the security of your PVLAN, avoid configuring other VLANs as PVLAN, and configure PVLAN on all intermediate devices, including devices without PVLAN ports.
8.4.4 when you assign an independent VLAN to each customer, deploy a valid IP address architecture according to the following guidelines:
N allocating an address block to the customer's VLAN may lead to unused IP addresses;
N if the number of devices in a VLAN increases, the number of allocated addresses may not meet this requirement.
These problems can be reduced by using PVLAN, because all members in a PVLAN share a public address space. This public address space is the address space allocated to the main VLAN. Connect to the host from the VLAN. the DHCP server can use the address block in the main VLAN to assign an IP address to the host. The following IP addresses can be allocated to client devices in different slave VLANs (but in the same master VLAN. When a new device is added, the DHCP server can assign a later available address to them from a large Subnet address pool.
 

Same as VLAN, PVLAN can span multiple switches. A relay port is used for communication between the master VLAN and the neighboring switch. The relay port treats PVLAN as any other VLAN. One feature of a pvlan spanning multiple switches is that communication from the isolated port of one switch (Switch A) cannot reach the isolated port of another switch (Switch B in 8-4.
Because VTP does not support PVLAN, you must manually configure PVLAN on all vswitches In the L2 network. If you do not configure the master and slave VLANs, the L2 databases on these switches cannot be merged. This may cause unnecessary PVLAN traffic on other switches.



Figure 8-4 PVLAN example that spans multiple vswitches
 
Some other functions of PVLAN are similar to those of vswitches, such as unicast, broadcast, multicast, and SVI interfaces. The following sections describe them respectively.
1. PVLAN and unicast, broadcast, and multicast communication can communicate with all other L2 devices in the same VLAN according to VLAN rules, however, devices connected to different VLAN interfaces must communicate on the third layer. In PVLAN, a hybrid port is a member of the primary VLAN, while a host port such as an isolated and common type belongs to a slave VLAN. Because the slave VLAN is associated with the master VLAN, the members of these VLANs can communicate with other L2 members.
According to VLAN rules, broadcast packets are forwarded to all ports in the VLAN. The PVLAN broadcast package determines whether to forward the broadcast package based on the port type:
N isolation port only sends the broadcast packet to the mixed port or the relay port.
N a common port sends a broadcast packet to the mixed port, relay port, and all other ports in the same public VLAN.
N hybrid ports send broadcast packets to all PVLAN ports (including other hybrid ports, relay ports, isolation ports, and common ports ).
Multicast communication can be routed or bridging across PVLAN boundaries, or forwarded in a public VLAN. However, multicast communication is not forwarded between ports in the same isolated VLAN or between ports in different slave VLANs.
2. PVLAN and SVISVI are layer-3 interfaces of L2 VLAN. A layer-3 device can only communicate through the primary VLAN in the PVLAN, but not through the slave VLAN. Therefore, you only need to configure the layer-3 SVI interface in the primary VLAN, instead of configuring the SVI interface in the secondary LVAN. The SVI interface in the slave VLAN is not active.
N if you want to configure a VLAN for the active SVI interface for the slave VLAN, the configuration will not be accepted until the SVI interface is disabled.
N if you want to create a SVI interface from a VLAN, when the VLAN has been mapped, the SVI interface cannot be created, and an error occurs. If the VLAN is not mapped to a layer-3 VLAN, the SVI interface can be created, but it is automatically disabled.
When the primary VLAN is associated with the slave VLAN and mapped to the slave VLAN, all configurations on the master VLAN are transmitted to the SVI interface of the slave VLAN. For example, if you configure an IP address for the main vlan svi interface, the IP address becomes the IP address of the whole PVLAN.