Welcome to IE-LAB!

Generic filters
Generic filters

Cisco PVLAN configuration details

pVLANs are typically used on intranets to prevent communication between network devices connected to certain interfaces or groups of interfaces, but allow communication with the default gateway. Although each device is in a different pVLAN, they can use the same IP subnet.

PVLANs allow traffic to be limited between certain ports within the same VLAN

PVLAN implements port isolation in one VLAN.

With the rapid development of the network, users put forward higher requirements for the security of network data communication, such as preventing hacker attacks and controlling virus transmission, etc., all of which require the relative security of network users to communicate; The traditional solution is to assign each client a VLAN and associated IP subnet. By using VLANs, each client is isolated from Layer 2 to prevent any malicious behavior and Ethernet snooping.However, this model of assigning a single VLAN and IP subnet per customer creates enormous scalability limitations. These limitations mainly include the following aspects.

(1)VLAN limitation: the limitation of the number of VLANs inherent in the switch;

(2) Complex STP: For each VLAN, the topology of each relevant Spanning Tree needs to be managed;

(3) The shortage of IP addresses: the division of IP subnets will inevitably result in the waste of some IP addresses;

(4) Routing restrictions: Each subnet requires a corresponding default gateway configuration.

Therefore, a new VLAN mechanism has emerged, which is a PVLAN.

PVLANs have two VLANs: Primary vlan and auxiliary vlan.

The auxiliary vlan contains two types of vlan: lsolated vlan and Community vlan

Two port types of PVLAN: Promiscuous Port and Host Port

The “hybrid port” belongs to the “Primary VLAN”; the “host port” belongs to the “Secondary VLAN”.Since the “Secondary VLAN” has two attributes, the “host port” in the “Secondary VLAN” differs depending on the “Secondary VLAN” attribute, that is, the “Host Port” inherits the “Secondary VLAN”. Attributes.As can be seen from this, “host ports” are also divided into two categories – “isolated port” and “community port”.

A physical port on a switch in a pVLAN is either a “promiscuous port” or an “isolated” port or a “community” port.

PVLAN usage notes:
  1. There is at least one “Secondary VLAN” in a “Primary VLAN” with no upper limit.
  2. There can only be one “Isolated VLAN” in a “Primary VLAN”, and there can be multiple “Community VLANs”.
  3. Any port between different “Primary VLANs” cannot communicate with each other (here “communication with each other” refers to Layer 2 connectivity).
  4. “Isolated Port” can only communicate with “hybrid ports” and cannot communicate with any other port.
  5. “Community port” can communicate with “promiscuous port” or with other physical ports in the same “Community VLAN”, and cannot communicate with other ports.
  6. There can only be one “Promiscuous Port” in a “Primary PVLAN”;
  7. To create PVLAN money, you need to configure the switch VTP to be in transparent mode.
  8. The Layer 3 Vlan interface can only be assigned to the primary VLAN.
  9. You cannot configure etherchannel in PVLAN.

At present, many vendors support PVLAN technology. Pvlan has obvious advantages in solving the security of the same letter and preventing broadcast storms, and it helps network optimization.

For more articles you can follow us on:

error: Content is protected !!
× How can I help you?