Private VLANs
Posted on: February 3, 2012
Private VLAN divides regular VLAN domain into sub domains and can have multiple VLANs for every sub domain.
Private VLAN feature is introduced to overcome following two problems that service providers were used to experience in using regular VLANs.
1) Scalability
2) IP Address Management
1) Scalability:-
The maximum number of VLANS that any 802.1Q compliant network device can support is 4096. Whereas VLAN ID 0 is used to identify priority frames and VLAN ID 4095 is reserved. Therefore, the maximum possible VLAN IDs on any network device are 4,094.
With this VLAN ID limitation on the networking devices, ISP’s used to experience the scalability problems when the 4095th customer will have to sign up as they will have no more VLAN ID left to be assigned to the new customers.
2) IP Address Management
Every VLAN requires a separate IP subnet. Therefore, there can be potential wastage of IP addresses in each subnet if normal VLAN concept is in use. For that reason, Private VLAN concept is originated.
Private VLAN provides layer 2 isolation between ports those are within that same private VLAN. All ports in private VLAN are access ports and are one of the following types.
Promiscuous:-
A promiscuous port belongs to primary VLAN and has ability to communicate with all other ports of private VLAN.
Isolated:-
Isolated port belongs to secondary VLAN. This port is completely isolated from all other private VLAN ports except promiscuous port.
Community:-
Community port communicates with others ports of that same community VLAN and also with promiscuous ports. As isolated ports are completely isolated from other private VLAN ports, therefore, community ports won’t be able to communicate with isolated ports of the private VLAN.
Every private VLAN contains following two types of VLANs.
1) Primary VLAN
2) Secondary VLAN
Primary VLAN
A private VLAN has only one primary VLAN. Primary VLAN is used to carry downstream unidirectional traffic from promiscuous ports to the community and isolated host ports and to the other promiscuous ports.
Secondary VLAN
Secondary VLANs are of two types.
1) Isolated VLAN
A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries traffic upstream towards promiscuous ports.
2) Community VLAN
A private VLAN has multiple community VLANs. A community VLAN is a secondary VLAN that carries traffic upstream from community ports to other ports of the same community and to promiscuous ports.
Configuration Example:-
Following steps are to be followed for private VLAN configuration.
1) If the switch is running VTP ver1 or 2 than set the VTP mode transparent.
vtp mode transparent
2) Create primary and secondary VLANs.
vlan <vlan-id>
private-vlan primary
exit
vlan <vlan-id>
private-vlan isolated
exit
vlan <vlan-id>
private-vlan community
exit
3) Configure primary and secondary VLAN’s associations.
vlan <vlan-id>
private-vlan association [add|remove] secondary_vlan_list.
techlanguageblog 
Leave a comment