Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Private VLANs

 

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by splitting the broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside a primary VLAN. PVLANs restrict traffic flows through their member switch ports (called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other.

Just like regular VLANs, PVLANs are isolated on Layer 2 and require that a Layer 3 device be used to route traffic among them. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from one another.

This topic explains the following concepts regarding PVLANs on the QFX Series:

Typical Structure and Primary Application of PVLANs

A PVLAN can be created on a single switch or can be configured to span multiple switches. The PVLAN shown in Figure 1 includes two switches, with a primary PVLAN domain and various subdomains.

Figure 1: Subdomains in a PVLAN
Subdomains in a PVLAN

As shown in Figure 1, a PVLAN has only one primary domain and multiple secondary domains. The types of domains are:

  • Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.

  • Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.

  • Secondary interswitch isolated VLAN—VLAN used to forward isolated VLAN traffic from one switch to another through PVLAN trunk ports. 802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.

  • Secondary community VLAN—VLAN used to transport frames among members of a community (a subset of users within the VLAN) and to forward frames upstream to the primary VLAN.

Figure 2 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one interswitch isolated domain.

Figure 2: PVLAN Spanning Multiple Switches
PVLAN Spanning Multiple
Switches
Note

Primary and secondary VLANs count against the limit of 4089 VLANs supported on the QFX Series. For example, each VLAN in Figure 2 counts against this limit.

Using 802.1Q Tags to Identify Packets

When packets are marked with a customer-specific 802.1Q tag, that tag identifies ownership of the packets for any switch or router in the network. Sometimes, 802.1Q tags are needed within PVLANs to keep track of packets from different subdomains. Table 1 indicates when a VLAN 802.1Q tag is needed on the primary VLAN or on secondary VLANs.

Table 1: PVLAN Requirements for 802.1Q Tags

On a Single Switch On Multiple Switches

Primary VLAN

Specify an 802.1Q tag by setting a VLAN ID.

Specify an 802.1Q tag by setting a VLAN ID.

Secondary VLAN

No tag needed on VLANs.

VLANs need 802.1Q tags:

  • Specify an 802.1Q tag for each community VLAN by setting a VLAN ID.

  • Specify the 802.1Q tag for an isolation VLAN ID by setting an isolation ID.

Efficient Use of IP Addresses

PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In PVLANs, the hosts in all secondary VLANs belong to the same IP subnet because the subnet is allocated to the primary VLAN. Hosts within the secondary VLAN are assigned IP addresses based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet. However, each secondary VLAN is a separate broadcast domain.

PVLAN Port Types

PVLANs can use six different port types. The network depicted in Figure 2 uses a promiscuous port to transport information to the router, community ports to connect the finance and HR communities to their respective switches, isolated ports to connect the servers, and a PVLAN trunk port to connect the two switches. PVLAN ports have different restrictions:

  • Promiscuous trunk port—A promiscuous port is an upstream trunk port connected to a router, firewall, server, or provider network. A promiscuous trunk port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

  • PVLAN trunk port—A PVLAN trunk port is required in multiswitch PVLAN configurations to span the switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN), and it carries traffic from the primary VLAN and all secondary VLANs. It can communicate with all ports.

    Communication between a PVLAN trunk port and an isolated port is usually unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that an isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port does not forward packets to an isolated port (unless the packets ingressed on a promiscuous access port and are therefore being forwarded to all the secondary VLANs in the same primary VLAN as the promiscuous port).

  • Secondary VLAN trunk port (not shown)—Secondary trunk ports carry secondary VLAN traffic. For a given private VLAN, a secondary VLAN trunk port can carry traffic for only one secondary VLAN. However, a secondary VLAN trunk port can carry traffic for multiple secondary VLANs as long as each secondary VLAN is a member of a different primary VLAN. For example, a secondary VLAN trunk port can carry traffic for a community VLAN that is part of primary VLAN pvlan100 and also carry traffic for an isolated VLAN that is part of primary VLAN pvlan400.

  • Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

  • Isolated access port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports—an isolated port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN (or interswitch isolated VLAN) domain. Typically, a server, such as a mail server or a backup server, is connected on an isolated port. In a hotel, each room would typically be connected on an isolated port, meaning that room-to-room communication is not possible, but each room can access the Internet on the promiscuous port.

  • Promiscuous access port (not shown)—These ports carry untagged traffic. Traffic that ingresses on a promiscuous access port is forwarded to all secondary VLAN ports on the device. If traffic ingresses into the device on a VLAN-enabled port and egresses on a promiscuous access port, the traffic is untagged on egress. If tagged traffic ingresses on a promiscuous access port, the traffic is discarded.

Table 2 summarizes whether Layer 2 connectivity exists between the different types of ports.

Table 2: PVLAN Ports and Layer 2 Connectivity

Port Type

Promiscuous Trunk

PVLAN Trunk

Secondary Trunk

Community

Isolated Access

Promiscuous access

Promiscuous trunk

Yes

Yes

Yes

Yes

Yes

Yes

PVLAN trunk

Yes

Yes

Yes

Yes—same community only

Yes

Yes

Secondary Trunk

Yes

Yes

No

Yes

No

Yes

Community

Yes

Yes

Yes

Yes—same community only

No

Yes

Isolated access

Yes

Yes—unidirectional only

No

No

No

Yes

Promiscuous access

Yes

Yes

Yes

Yes

Yes

No

Note

If you enable the no-mac-learning statement on a primary VLAN, all isolated VLANs in the PVLAN inherit that setting. However, if you want to disable MAC address learning on any community VLANs, you must configure the no-mac-learning statement on each of those VLANs.

Limitations of Private VLANs

The following constraints apply to private VLAN configurations:

  • IGMP snooping is not supported with private VLANs.

  • Routed VLAN interfaces are not supported on private VLANs

  • Routing between secondary VLANs in the same primary VLAN is not supported.