You know the more I get back into Distributed Switches – the more this is looking like a 10/20/30 part series…! This part concerns Private VLANs or PVLANs. Admittedly, its not a widely used function of many physical switches – but I have occasionally seen it used by ISP and Service Providers. So at some stage I’m going to have to renumber all the previous parts to this series to fix that up! So from now on this series is number of N, and I will fix that numbering when I think I’m finished! 🙂
The VMwareKB YouTube channel has short video which explains how PVLANs work which you might useful if your configuring this feature for the first time.
Private VLAN or PVLANs is an extension to the VLAN standard, and allows for the extension of a single VLAN into secondary PVLANs. These secondary PVLANs reside within the domain of a primary VLAN. As with VLANs, VMware’s implementation of PVLAN allows the Distributed Switch to be aware of the underlying physical switches PVLAN configuration. PVLANs are usual seen within the Service Providers, ISPs and government bodies – they are less prevalent in the corporate world, and hardly if ever configured at the SMB markets except in unique use cases.
There are three types of Secondary PVLAN:
Each type allows determines how packets are forwarded or not. A node attached to a Promiscuous PVLAN can send and receive packets to ANY other node residing on Secondary PVLAN associated with it. Typically, devices such as routers are attached to Promiscuous PVLANs to act as a gateway to further networks. An Isolated PVLAN has more limited communication properties, it can only communicate to and from its configured Promiscuous PVLAN. It cannot communicate to other Isolated PVLANs or to Community PVLANs – additionally, nodes WITHIN a Isolated PVLAN cannot communicate to each other either. Isolated PVLANs are typically used to create a DMZ for firewall purposes – as one compromised node, cannot be used as source to launch attacks to others. The Community PVLAN allows a node to send and receive packets from other ports within the same PVLAN, and can communicate to the Promiscuous PVLAN. For a Distributed Switch to interact with a PVLAN implementation it must support and be enabled for 802.1q Tagging. Physical switch can be confused by the fact that in some cases each MAC address is visible in more than one VLAN tag. For this reason Physical switch must trunk to the ESXi host and not be in a secondary PVLAN.
The configuration begins with defining the Promiscuous PVLAN, and then adding support with the various secondary PVLANs to which it is associated with. The PVLAN is define as flat list with just the PVLAN ID number in left-hand column of the UI with the Secondary PVLANs defined on the right-hand side. Once both Promiscuous, Isolated and Community PVLANs have been defined they can be utilised by the Distributed Portgroup