A very good read for a topic that seems to get very little exposure. I know in the Cisco Press books I have read Private Vlans were only covered by a few pages here and there. I am sure if you work for a large ISP or network provider you are very familiar already with this topic, but for us little network people this a nice read…

Due to the non-decreasing interest to the post about Private VLANs, I decided to make another one, more detailed – including a diagram and verification techniques.

To begin with, look at the concept of VLAN as a broadcast domain. What Private VLANs (PVANs) do, is they split the domain into multiple isolated broadcast subdomains. It’s a nesting concept – subVLANs inside a VLAN. Next, as we know, Ethernet VLANs are not allowed to communicate directly with each other – they require a L3 device to forward packets between broadcast domains. The same concept applies to PVLANS – since the subdomains are isolated at level 2, they need to communicate using an upper level (L3/packet forwarding) entity – such as router. However, there is difference here. Regular VLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but now they need to use a router (L3 device) to talk to each other (for example, by using local Proxy ARP). In turn, router may either permit or forbid communications between sub-VLANs using access-lists. Why would anyone need Private VLANs? Commonly, this kind of configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.

  August 21st, 2009 3:32 am

