Private VLANs: Extending the abilities of a VLAN
The private VLAN feature provides the ability to extend the
capabilities of a “standard” VLAN. It does this by introducing some
additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The
Primary VLAN should be considered the Master in the master/slave
relationship with the other two sub-types. Switch ports assigned within
the primary VLAN are able to see traffic from all devices within the
primary VLAN and all sub-types (also referred to as secondary VLANs).
Both Community and Isolated VLANs should be considered slaves in the
master/slave relationship with the primary VLAN. Switchports assigned to
a Community VLAN can see traffic from all other devices in the same
Community VLAN and can send traffic back and forth with devices in the
primary VLAN. Switchports assigned to an Isolated VLAN can send traffic
back and forth with devices in the primary VLAN, but CANNOT see traffic
from other devices in the same Isolated VLAN.
It is important to understand that regardless of the VLAN assignment
of the switchport, all of the devices will share the same IP subnet; the
private VLAN feature just sets up rules as to which devices are able to
speak to each other.
Why Use a Private VLAN?
The next question really is why would an engineer want to implement
the private VLAN feature? This section goes over a few possibilities.
What if an Internet Service Provider (ISP) had a limited number of
subnet space and wanted to maximize it by assigning all of the customers
in a geographic area into the same IP subnet. Of course, most customers
do not want other people seeing their layer 2 switched traffic, as it
opens up potential security issues. Individual customers who only have a
single port connected into the service provider can be assigned into an
isolated private VLAN; their traffic would then only be sent and
received by the ISP devices connected directly to the primary VLAN.
What if a company existed in the same geographic area and had
multiple offices with multiple Internet connections? It is possible with
community VLANs to connect all of these Internet connections together
so that each would be able to talk directly to each other as well as go
out and utilize the same Internet connection.
These are some very simple examples but they do show that the
functionality of private VLANs can be useful to any design engineer
looking for a solution to a specific set of design requirements.
(Note: Original Post is posted by Sean Wilkins at his blog http://www.trainsignal.com/blog/private-vlan-concepts)
(Note: Original Post is posted by Sean Wilkins at his blog http://www.trainsignal.com/blog/private-vlan-concepts)
