•
Configuring PVLANs on page 33•
Displaying PVLAN Information on page 36•
PVLAN Configuration Example 1 on page 37•
PVLAN Configuration Example 2 on page 39PVLAN Overview
PVLANs offer the following features:
•
VLAN translation•
VLAN isolation NotePVLAN features are supported only on the platforms listed for this feature in the license tables in the Feature License Requirements document.
VLAN Translation in a PVLAN
VLAN translation provides the ability to translate the 802.1Q tags for several VLANs into a single VLAN tag. VLAN translation is an optional component in a PVLAN.
VLAN translation allows you to aggregate Layer 2 VLAN traffic from multiple clients into a single uplink VLAN, improving VLAN scaling. The following figure shows an application of VLAN translation.
Note
The VLAN translation feature described in VLAN Translation on page 42 is provided for those who are already familiar with the ExtremeWare VLAN translation feature. If you have time to use the PVLAN implementation and do not have scripts that use the ExtremeWare commands, we suggest that you use the PVLAN feature, as it provides the same functionality with additional features.
Figure 7: VLAN Translation Application
In the figure, VLANs 101, 102, and 103 are subscriber VLANS that carry data traffic while VLANs 201, 202, and 203 are subscriber VLANs that carry voice traffic. The voice and data traffic are combined on integrated access devices (IADs) that connect to the VLAN translation switch. Each of the three clusters of phones and PCs uses two VLANs to separate the voice and data traffic. As the traffic is combined, the six VLANs are translated into two network VLANs, VLAN1 and VLAN2. This simplifies administration, and scales much better for large installations.
Conceptually, this is very similar to Layer 3 VLAN aggregation (superVLANS and subVLANs).
The primary differences between these two features are:
•
VLAN translation is strictly a Layer 2 feature.•
VLAN translation does not allow communication between the subscriber VLANs.VLAN Isolation
VLAN isolation provides Layer 2 isolation between the ports in a VLAN. The following figure shows an application of VLAN isolation.
Figure 8: VLAN Isolation Application
In this figure, ports in the Guest VLAN have access to services on the network VLAN, but Guest VLAN ports cannot access other Guest VLAN ports over Layer 2 (or the Marketing or Engineering VLANs).
This provides port-to-port security at Layer 2.
PVLAN Components
The following figure shows the logical components that support PVLAN configuration in a switch.
Figure 9: Private VLAN Switch Components
There is one network VLAN in each PVLAN. Ports within a network VLAN, called network ports, can communicate with all VLAN ports in the PVLAN. Network devices that connect to the network VLAN ports are considered to be on the network side of the switch.
The network VLAN aggregates the uplink traffic from the other VLANS, called subscriber VLANs, for egress communications on a network VLAN port. A network port can serve only one PVLAN, but it can serve one or more subscriber VLANs. Ingress communications on the network VLAN port are
distributed to the appropriate subscriber VLANs for distribution to the appropriate ports. Devices that connect to subscriber VLAN ports are considered to be on the subscriber side of the switch.
Tag translation within the PVLAN is managed at the egress ports. To enable tag translation for uplink traffic from the subscriber VLANs, you must enable tag translation on the appropriate network VLAN port. Tag translation is automatically enabled on subscriber VLAN egress ports when the subscriber VLAN is created and the port is added to the VLAN as tagged. Egress traffic from a subscriber VLAN is always tagged with the subscriber VLAN tag when the port is configured as tagged.
A non-isolated subscriber VLAN is basically a standard VLAN that can participate in tag translation through the network VLAN when VLAN translation is enabled on the network VLAN port.
You can choose to not translate tags on a network VLAN port, but this is generally used only for extending a PVLAN to another switch. A non-isolated subscriber VLAN that does not use tag
translation is functionally equivalent to a regular VLAN, so it is better to create non-isolated VLANs only when you plan to use tag translation.
Ports in a non-isolated VLAN can communicate with other ports in the same VLAN, ports in the network VLAN, and destinations on the network side of the switch. As with standard VLANs, non-isolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs.
In the figure above, the Engineering and Marketing VLANs are configured as non-isolated subscriber VLANs, which means that they act just like traditional VLANs, and they can participate in tag translation when VLAN translation is enabled on a network VLAN port that leads to network side location.
VLAN isolation within the PVLAN is established by configuring a VLAN to be an isolated subscriber VLAN and adding ports to the isolated VLAN. Unlike normal VLANs, ports in an isolated VLAN cannot communicate with other ports in the same VLAN over Layer 2 or Layer 3. The ports in an isolated VLAN
can, however, communicate with Layer 2 devices on the network side of the PVLAN through the network VLAN. When the network VLAN egress port is configured for tag translation, isolated VLAN ports also participate in uplink tag translation. When isolated subscriber VLAN ports are configured as tagged, egress packets are tagged with the isolated VLAN tag. As with standard VLANs and non-isolated VLANs, non-isolated ports cannot communicate through Layer 2 with ports in other subscriber VLANs.
PVLAN Support over Multiple Switches
A PVLAN can span multiple switches. The following figure shows a PVLAN that is configured to operate on two switches.
Figure 10: Private VLAN Support on Multiple Switches
A PVLAN can span many switches. For simplicity, the figure above shows only two switches, but you can extend the PVLAN to additional switches by adding connections between the network VLANs in each switch. The ports that connect two PVLAN switches must be configured as regular tagged ports.
The network and subscriber VLANs on each switch must be configured with the same tags.
Note
Although using the same VLAN names on all PVLAN switches might make switch
management easier, there is no software requirement to match the VLAN names. Only the tags must match.
When a PVLAN is configured on multiple switches, the PVLAN switches function as one PVLAN switch.
Subscriber VLAN ports can access the network VLAN ports on any of the PVLAN switches, and non-isolated VLAN ports can communicate with ports in the same VLAN that are located on a different physical switch. An isolated VLAN can span multiple switches and maintain isolation between the VLAN ports.
The network and subscriber VLANs can be extended to other switches that are not configured for the PVLAN (as described in Extending Network and Subscriber VLANs to Other Switches on page 29).
The advantage to extending the PVLAN is that tag translation and VLAN isolation is supported on the additional switch or switches.
Extending Network and Subscriber VLANs to Other Switches
A network or subscriber VLAN can be extended to additional switches without a PVLAN configuration on the additional switches.
You might want to do this to connect to existing servers, switches, or other network devices. You probably do not want to use this approach to support clients, as tag translation and VLAN isolation are not supported unless the PVLAN is configured on all PVLAN switches as described in PVLAN Support over Multiple Switches on page 28.
The following figure illustrates PVLAN connections to switches outside the PVLAN.
Figure 11: Private VLAN Connections to Switches Outside the PVLAN
In the above figure, Switch 1, Network VLAN Port 21 connects to a Switch 3 port that only supports the Network VLAN.
In this configuration, the Network VLAN Port 21 on Switch 1 is configured as “translated,” which translates subscriber VLAN tags to the network VLAN tag for access to the Network VLAN extension on Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLAN Tag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to network devices such as servers or an internet gateway.
Switch 2, port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured.
Because port 22 supports multiple VLANs that are part of the PVLAN, and because these Switch 2 VLANs are not part of the PVLAN, Switch 1, port 24, must be configured as a PVLAN endpoint, which establishes the PVLAN boundary. Switch 2, port 22, is configured as a regular tagged VLAN port.
For most applications, it would be better to extend the PVLAN to Switch 2 so that the PVLAN features are available to the Switch 2 VLANs.
The configuration of Switch 2 behaves as follows:
•
The Switch 2 NonIsolated VLAN ports can communicate with the NonIsolated VLAN ports on Switch 1, but they cannot participate in VLAN translation.•
The Switch 2 Isolated VLAN ports can communicate with other Switch 2 Isolated VLAN ports.•
The Switch 2 Isolated VLAN ports cannot participate in VLAN translation.•
The Switch 2 Isolated VLAN ports can receive broadcast and multicast info for the Isolated VLAN.•
Traffic is allowed from the Switch 1 Isolated VLAN ports to the Switch 2 Isolated VLAN ports.MAC Address Management in a PVLAN
Each device that connects to a PVLAN must have a unique MAC address within the PVLAN. Each MAC address learned in a PVLAN requires multiple FDB entries. For example, each MAC address learned in a non-isolated subscriber VLAN requires two FDB entries, one for the subscriber VLAN and one for the network VLAN. The additional FDB entries for a PVLAN are marked with the P flag in the show fdb command display.
The following sections describe the FDB entries created for the PVLAN components and how to estimate the impact of a PVLAN on the FDB table:
•
Non-Isolated Subscriber VLAN•
Isolated Subscriber VLAN•
Network VLAN•
Calculating the Total FDB Entries for a PVLAN Non-Isolated Subscriber VLANWhen a MAC address is learned on a non-isolated subscriber VLAN port, two entries are added to the FDB table:
•
MAC address, non-isolated subscriber VLAN tag, and the port number•
MAC address, network VLAN tag, port number, and a special flag for tag translationThe network VLAN entry is used when traffic comes in from the network ports destined for an non-isolated port.
Isolated Subscriber VLAN
When a new MAC address is learned on an isolated subscriber VLAN port, two entries are added to the FDB table:
•
MAC address, isolated subscriber VLAN tag, port number, and a flag that indicates that the packet should be dropped•
MAC address, network VLAN tag, port number, and a special flag for tag translation Ports in the isolated VLAN do not communicate with one another.If a port in the isolated VLAN sends a packet to another port in the same VLAN that already has an entry in the FDB, that packet is dropped. You can verify the drop packet status of an FDB entry by using the show fdb command. The D flag indicates that packets destined for the listed address are dropped.
The network VLAN entry is used when traffic comes in from the network ports destined for an isolated port.
Network VLAN
When a new MAC address is learned on a network VLAN port, the following entry is added to the FDB table: MAC address, network VLAN tag, and port number.
For every subscriber VLAN belonging to this PVLAN, the following entry is added to the FDB table:
MAC address, subscriber VLAN tag, and port number Calculating the Total FDB Entries for a PVLAN
The following formula can be used to estimate the maximum number of FDB entries for a PVLAN:
FDBtotal = [(MACnon-iso + MACiso) * 2 + (MACnetwork * (VLANnon-iso + VLANiso + 1))]
The formula components are as follows:
•
MACnon-iso = number of MAC addresses learned on all the non-isolated subscriber VLANs•
MACiso = number of MAC addresses learned on all the isolated subscriber VLANs•
MACnetwork = number of MAC addresses learned on the network VLAN•
VLANnon-iso = number of non-isolated subscriber VLANs•
VLANiso = number of isolated subscriber VLANs NoteThe formula above estimates the worst-case scenario for the maximum number of FDB entries for a single PVLAN. If the switch supports additional PVLANs, apply the formula to each PVLAN and add the totals for all PVLANs. If the switch also support standard VLANs, there will also be FDB entries for the standard VLANs.
Layer 3 Communications
For PVLANs, the default switch configuration controls Layer 3 communications exactly as communications are controlled in Layer 2.
For example, Layer 3 communications is enabled between ports in a non-isolated subscriber VLAN, and disabled between ports in an isolated subscriber VLAN. Ports in a non-isolated subscriber VLAN cannot communicate with ports in other non-isolated subscriber VLANs.
You can enable Layer 3 communications between all ports in a PVLAN. For more information, see Managing Layer 3 Communications in a PVLAN on page 35.
PVLAN Limitations
The Private VLAN feature has the following limitations:
•
Requires more FDB entries than a standard VLAN.•
Within the same VR, VLAN tag duplication is not allowed.•
Within the same VR, VLAN name duplication is not allowed.•
Each MAC address learned in a PVLAN must be unique. A MAC address cannot exist in two or more VLANs that belong to the same PVLAN.•
MVR cannot be configured on PVLANs.•
A VMAN cannot be added to a PVLAN.•
A PBB network (BVLAN) cannot be added to a PVLAN.•
EAPS control VLANs cannot be either subscriber or network VLANs.•
EAPS can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support EAPS on the network VLAN, you must add all of the VLANs in the PVLAN to the EAPS ring.•
STP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support STP on the network VLAN, you must add all of the VLANs in the PVLAN to STP.•
ESRP can only be configured on network VLAN ports (and not on subscriber VLAN ports). To support ESRP on the network VLAN, you must add all of the VLANs in the PVLAN to ESRP.•
There is no NetLogin support to add ports as translate to the network VLAN, but the rest of NetLogin and the PVLAN features do not conflict.•
IGMP snooping is performed across the entire PVLAN, spanning all the subscriber VLANs, following the PVLAN rules. For VLANs that are not part of a PVLAN, IGMP snooping operates as normal.•
PVLAN and VPLS are not supported on the same VLAN.•
When two switches are part of the same PVLAN, unicast and multicast traffic require a tagged trunk between them that preserves tags (no tag translation).•
Subscriber VLANs in a PVLAN cannot exchange multicast data with VLANs outside the PVLAN and with other PVLANs. However, the network VLAN can exchange multicast data with VLANs outside the PVLAN and with network VLANs in other PVLANs.Note
A maximum of 80% of 4K VLANs can be added to a PVLAN. Adding more VLANS will display the following log error:
<Erro:HAL.VLAN.Error>Slot-<slot>: Failed to add egress vlan translation entry on port <port> due to “Table full”.
An additional limitation applies to BlackDiamond 8000 series modules and Summit family switches, whether or not they are included in a SummitStack. If two or more member VLANs have overlapping ports (where the same ports are assigned to both VLANs), each additional VLAN member with overlapping ports must have a dedicated loopback port. To state it another way, one of the VLAN members with overlapping ports does not require a dedicated loopback port, and the rest of the VLAN members do require a single, dedicated loopback port within each member VLAN.
Note
There is a limit to the number of unique source MAC addresses on the network VLAN of a PVLAN that the switch can manage. It is advised not to exceed the value shown in the item
“FDB (maximum L2 entries)” in the Supported Limits table of the ExtremeXOS Installation and Release Notes.