Dedicated Virtual LAN technology and application example

1 Preface
Vswitch is one of the core devices in the network. Its technology has developed rapidly, from 10 Mbit/s Ethernet to 100 Mbit/s fast Ethernet, and then to 1 Gbit/s and 10 Gbit/s Ethernet. Switch in Communication Applications in fields and enterprises are developing in depth, and network administrators are increasingly eager to master PVLAN technology. This article summarizes the application through practical experience.
2 limitations of VLANWith the rapid development of the network, users have put forward higher requirements for the security of network data communication, such as preventing hacker attacks and controlling the spread of viruses, all of which require the relative security of network user communication; the traditional solution is to assign each customer a VLAN and a related IP subnet. By using VLAN, each customer is isolated from Layer 3, it can prevent malicious behaviors and snoop of Ethernet information. However, this model for allocating a single VLAN and an IP subnet for each customer creates huge scalability limitations. These limitations mainly involve the following aspects.
(1) VLAN restrictions: limits on the number of VLANs inherent in the vswitch;
(2) complex STP: For each VLAN, the topology of each related Spanning Tree needs to be managed;
(3) shortage of IP addresses: IP subnet division will inevitably result in waste of some IP addresses;
(4) routing restrictions: Each subnet requires the corresponding Default Gateway configuration.
3 PVLAN TechnologyNow we have a new VLAN mechanism. All servers are in the same subnet, but the server can only communicate with its own default gateway. This new VLAN feature is dedicated VLAN (Private VLAN ). In the concept of Private VLAN, there are three types of switch ports: Isolated port, Community port, and Promiscuous port. They correspond to different VLAN types: Isolated port belongs to Isolated PVLAN, the Community port belongs to the Community PVLAN and represents the Primary VLAN as a Private VLAN. The first two VLANs must be bound with the Private VLAN and the Promiscuous port is also included. In Isolated PVLAN, Isolated ports can only communicate with Promiscuous ports, but cannot exchange traffic with each other. In Community PVLAN, Community ports can not only communicate with Promiscuous ports, but also exchange traffic with each other. The Promiscuous port is connected to the vro or layer-3 vswitch interface. The traffic received by the Promiscuous port can be sent to the Isolated port and Community port. PVLAN applications are very effective for ensuring the security of data communication over the access network. You only need to connect to your own default gateway, a pvlan provides 2nd-layer Data Communication Security connection without the need for multiple VLANs and IP subnets. All users access the PVLAN to connect all users to the default gateway, other users in PVLAN have no access. The PVLAN function ensures that each port in the same VLAN cannot communicate with each other, but can pass through the Trunk port. In this way, even users in the same VLAN are not affected by the broadcast.
4 PVLAN configuration steps (1) Put switch in VTP transparent mode
Set vtp mode transparent
(2) Create the primary private VLAN
Set vlan pvlan-type primary
(3) Set the isolated or community VLAN (s)
Set vlan pvlan-type {isolated community}
(4) Map the secondary VLAN (s) to the primary VLAN
Set pvlan primary_vlan {isolated_vlan community _
Vlan} {mod/port sc0}
(5) Map each secondary VLAN to the primary VLAN on the promiscuous port (s)
Set pvlan mapping primary_vlan {isolated_vlan community_vlan} {mod/port} [mod/port...]
(6) Show PVLAN configuration
Show pvlan [primary_vlan]
Show pvlan mapping
Show vlan [primary_vlan]
Show port 5 examplesThe following describes the PVLAN configurations of A vswitch running in the network. VLAN 100 is the Primary VLAN, VLAN 101 is the Isolated VLAN, and VLAN 102 and VLAN 103 are the Community VLAN.
N8-CSSW-2> (enable) show running-config
This command shows non-default invocations only.
Set system name N8-CSSW-2
# Vtp
Set vtp domain sdunicom
Set vtp mode transparent
Set vlan 1 name default type ethernet mtu 1500 said 100001 state active
Set vlan 100 name VLAN0100 type ethernet pvlantype primary mtu 1500 said 100100 state active
Set vlan 101 name VLAN0101 type ethernet pvlantype isolated mtu 1500 said 100101 state active
Set vlan 102 name VLAN0102 type ethernet pvlantype community mtu 1500 said 100102 state active
Set vlan 103 name VLAN0103 type ethernet pvlantype community mtu 1500 said 100103 state active
# Module 2: 50-port 10/100/1000 Ethernet
Set pvlan 100 101 2/26-, 2/35-, 2/42-43
Set pvlan mapping 100 101 2/49
Set pvlan 100 102 2/1-13, 2/30-34
Set pvlan mapping 100 102 2/49
Set pvlan 100 103 2/14-25
Set pvlan mapping 100 103 2/49
End
N8-CSSW-2> (enable) show pvlan
Primary Secondary-Type Ports
--------------------------------
100 101 isolated 2/26-29,2/35-36,2/42-43
100 102 community 2/1-/30-34
100 103 community 2/14-25 6 conclusionCurrently, vswitches produced by many manufacturers support PVLAN technology. PVLAN technology has obvious advantages in solving communication security, preventing broadcast storms, and wasting IP addresses. PVLAN technology helps network optimization, in addition, PVLAN configuration on vswitches is relatively simple, and PVLAN technology is increasingly favored by network administrators.