VLAN and PVLAN

VLAN

A VLAN (Virtual Local Area Network) is a logical network operating as a broadcast domain at the data link layer. Hosts on a VLAN work just like on a LAN.

IEEE 802.1Q

The Ethernet frame per the IEEE 802.1Q has a four-byte field, VLAN tag, which includes the 12-bits long VLAN ID.  In other words, there are theoretically 4096 VLANs at maximum.

VLAN ID

VLANs are typically implemented on switching hubs with the default VLAN identifier as 1 if the VLAN feature is enabled.

  • VLAN ID 0 is reserved for tagging the priority of frames.
  • VLAN IDs 1 through 511 are reserved for normal VLANs.
  • VLAN IDs 512 and above are reserved for VLAN circuit cross-connect (CCCs).

Tagging

A VLAN can be established either statically or dynamically.

  • Static VLANs are port-based. VLAN-enabled ports on a switching hub can be tagged or untagged. Tagged ports are also known as trunk ports, while untagged ports as access ports. An access port connects to hosts that are unaware of any VLAN configuration. The host sends data without any VLAN tag, which is added by the switching hub. A trunk port receives and sending frames with a VLAN tag so that they can be forwarded correctly.
  • Dynamic VLANs depend on software or protocols. That is, a host is assigned to a VLAN based on configuration criteria, such as the MAC address of the host or the subject that logged into the host. That typically entails a policy server and databases.

PVLAN

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs (see Figure 1-1). All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.

Source: Cisco

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given “uplink“. The restricted ports are called “private ports“. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource.

Source: Wikipedia

Private VLAN in a Hotel

A typical application for a private VLAN is a hotel where each room has a port for Internet access. (Wikipedia)

  • Each room can be isolated from one another in a hotel. (I-Port)
  • Some rooms can be configured as a community so that they can communicate with each other. (Cx-Port)
  • Switching hubs at each floor in a hotel can be linked through the uplink port.
  • Traffic can be routed or mirrored (sniffed) through the promiscuous port. (P-Port)

References

Leave a Reply