By BackToBasics

You know the more I get back into Distributed Switches – the more this is looking like a 10/20/30 part series…! This part concerns Private VLANs or PVLANs. Admittedly, its not a widely used function of many physical switches – but I have occasionally seen it used by ISP and Service Providers. So at some stage I’m going to have to renumber all the previous parts to this series to fix that up! So from now on this series is number of N, and I will fix that numbering when I think I’m finished! 🙂

The VMwareKB YouTube channel has short video which explains how PVLANs work which you might useful if your configuring this feature for the first time.

Private VLAN on a vNetwork Distributed Switch – Concept Overview

Private VLAN or PVLANs is an extension to the VLAN standard, and allows for the extension of a single VLAN into secondary PVLANs. These secondary PVLANs reside within the domain of a primary VLAN. As with VLANs, VMware’s implementation of PVLAN allows the Distributed Switch to be aware of the underlying physical switches PVLAN configuration. PVLANs are usual seen within the Service Providers, ISPs and government bodies – they are less prevalent in the corporate world, and hardly if ever configured at the SMB markets except in unique use cases.

There are three types of Secondary PVLAN:

  • Promiscuous
  • Isolated
  • Community

640px-Screen Shot 2014-02-26 at 15.26.07.png

Each type allows determines how packets are forwarded or not. A node attached to a Promiscuous PVLAN can send and receive packets to ANY other node residing on Secondary PVLAN associated with it. Typically, devices such as routers are attached to Promiscuous PVLANs to act as a gateway to further networks. An Isolated PVLAN has more limited communication properties, it can only communicate to and from its configured Promiscuous PVLAN. It cannot communicate to other Isolated PVLANs or to Community PVLANs – additionally, nodes WITHIN a Isolated PVLAN cannot communicate to each other either. Isolated PVLANs are typically used to create a DMZ for firewall purposes – as one compromised node, cannot be used as source to launch attacks to others. The Community PVLAN allows a node to send and receive packets from other ports within the same PVLAN, and can communicate to the Promiscuous PVLAN. For a Distributed Switch to interact with a PVLAN implementation it must support and be enabled for 802.1q Tagging. Physical switch can be confused by the fact that in some cases each MAC address is visible in more than one VLAN tag. For this reason Physical switch must trunk to the ESXi host and not be in a secondary PVLAN.

The configuration begins with defining the Promiscuous PVLAN, and then adding support with the various secondary PVLANs to which it is associated with. The PVLAN is define as flat list with just the PVLAN ID number in left-hand column of the UI with the Secondary PVLANs defined on the right-hand side. Once both Promiscuous, Isolated and Community PVLANs have been defined they can be utilised by the Distributed Portgroup

Define the Promiscuous PVLAN

1. Select the Distributed Switch, and click the Manage tab, and click the Settings column

2. Select Private VLAN, and click the Edit button

3. In the subsequent dialog box, in the left-hand column click Add and type the PVLAN ID number thatrepresents the Promiscuous PVLAN – in this case PVLAN ID 103

Screen Shot 2014-02-21 at 10.55.35.png

Notice how along side every Promiscuous PVLAN, a secondary PVLAN is created.

4. Next in the same dialog box, in the right-hand column click Add, and type the PVLAN ID number that represents your Isolated or Community PVLAN.

Screen Shot 2014-02-21 at 11.17.05.png

5. Once the configuration is completed the Web Client will refresh to show the new configuration.

Screen Shot 2014-02-21 at 11.21.28.png

Notice how the Community (203) and Isolated (204) PVLANs are configured to speak via the Promiscuous PVLAN (103)

Create PVLAN Enabled Distributed Portgroups

Now that the PVLANs have been definied on the Distributed Switch, Distributed Portgroups can be created to reference them. Friendly names can be used to distinguish their function and purpose

1. Right-click the Distributed Switch, and select New Distributed Portgroup

2. Type a friendly name such as pVLAN103-CorpBackBone

3. Under VLAN and VLAN Type, select Private VLAN, and select one of the Promiscuous PVLAN(s) created earlier

Screen Shot 2014-02-21 at 11.27.10.png

The drop-down list shows the type (Promiscuous, Isolated, Community) together with the Promiscuous PVLAN number first (103) followed by that PVLANs own unique PVLAN Number (203 or 204)

4. Next we can create portgroups to utilize the other PVLANs that are accessible – these can be used by VMs and virtual firewalls and routers

Screen Shot 2014-02-21 at 11.32.42.png