[c-nsp] PVLAN

Matt Buford matt at overloaded.net
Fri Sep 30 16:14:08 EDT 2005


Here are two different real-world uses to help understand why this would be 
done.

First, I use this for backups.  This means I can put many customers second 
NICs in a single layer 2 backup VLAN, and they can all communicate with the 
backup server but can not communicate with each other.  Obviously one 
customer doesn't want his servers that are behind his firewall to have 
direct unrestricted communication from another one of my customers.

Second, private VLANs with "local proxy arp" provides a way to restore the 
ability of hosts to reach each other (as they would be able to on a normal 
VLAN) - but only through the router and not through broadcast.  For example, 
a traceroute from 10.10.10.10/24 to 10.10.10.11/24 would actually see the 
router as a hop before reaching the destination.  This allows me to make 
large layer 2 VLANs with hundreds of customers, and no one sees broadcasts 
from anyone else plus no one can cause IP conflicts with the default 
gateway.  This isn't quite as much protection as actual per-customer VLANs 
would provide, but it is much better protection than a single traditional 
VLAN while still maintaining all the management simplicity of a single VLAN. 
In my environment per-customer VLANs is not really seen as a usable option. 
This is more for management and customer-hassle reasons than for technical 
restrictions.

If you have any further questions just ask.  I have both of the above 
scenarios deployed in a fairly large scale.

----- Original Message ----- 
From: "Rubens Kuhl Jr." <rubensk at gmail.com>
To: "Tiffany Snyder" <tiffany.snyder at gmail.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, September 29, 2005 9:56 AM
Subject: Re: [c-nsp] PVLAN


> The later: policy enforcement. PVLAN breaks the paradigm that every
> port on a VLAN can communicate with each other; on a PVLAN, isolated
> (Cat 4k/6k) or protected (Cat 29xx) ports can't talk to other
> isolated/protected ports, only to promiscuos ports. Router uplinks are
> usually connected to promiscuos ports, servers to isolated ports.
>
> Higher-end switches like Cat4k or Cat6k have communities where you can
> specify some isolated ports to talk to the other isolated ports on the
> community.
>
>
> Rubens
>
>
> On 9/29/05, Tiffany Snyder <tiffany.snyder at gmail.com> wrote:
>> Hi,
>>  I'm trying to understand what PVLAN offers. Is it the same as stacked 
>> VLAN
>> tagging? Or is it just a means to enforce some policy at layer 2 (ie,
>> VLANs). Any explanation in laymen terms.
>>   Thanks,
>>   Tiffany.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list