The definition of Private VLAN is:
-
Virtual LAN (VLAN) is a mechanism to divide a broadcast domain into several logical broadcast domains.
-
Private VLAN is an extension to the VLAN standard, already available in several (most recent) physical switches. It adds a further segmentation of the logical broadcast domain, to create Private groups.
-
Private means that the hosts in the same PVLAN are not able to be seen by the others, except the selected ones in the promiscuous PVLAN.
-
Standard 802.1Q Tagging indicates there is no encapsulation of a PVLAN inside a VLAN, everything is done with one tag per packet.
-
No Double Encapsulation indicates that the packets are tagged according to the switch port configuration (EST mode), or they arrive already tagged if the port is a trunk (VST mode).
-
Switch software decides which ports to forward the frame, based on the tag and the PVLAN tables.
A Private VLAN is further divided into the groups:
-
Primary PVLAN: The original VLAN that is being divided into smaller groups is called Primary, and all the secondary PVLANs exist only inside the primary.
-
Secondary PVLANs : The secondary PVLANs exist only inside the primary. Each Secondary PVLAN has a specific VLAN ID associated to it, and each packet travelling through it is tagged with an ID as if it were a normal VLAN, and the physical switch associates the behavior (Isolated, Community or Promiscuous) depending on the VLAN ID found in each packet.
Note: Depending upon the type of the groups involved, hosts are not able to communicate with each other, even if they belong to the same group.
One type of Primary PVLAN:
- Promiscuous – A node attached to a port in a promiscuous secondary PVLAN may send and receive packets to any node in any others secondary VLAN associated to the same primary. Routers are typically attached to promiscuous ports.
Two types of Secondary PVLANs:
- Isolated: A node attached to a port in an isolated secondary PVLAN may only send to and receive packets from the promiscuous PVLAN.
- Community: A node attached to a port in a community secondary PVLAN may send to and receive packets from other ports in the same secondary PVLAN, as well as send to and receive packets from the promiscuous PVLAN.
Notes:
- Promiscuous PVLANs have the same VLAN ID both for Primary and Secondary VLAN.
- Community and Isolated PVLANs traffic travels tagged as the associated Secondary PVLAN.
- Traffic inside PVLANs is not encapsulated (no Secondary PVLAN encapsulated inside a Primary PVLAN Packet).
- Traffic between virtual machines on the same PVLAN but on different ESX hosts go through the Physical Switch. Therefore, the Physical Switch must be PVLAN aware and configured appropriately, to allow the secondary PVLANs to reach destination.
- Switches discover MAC addresses per VLAN. This can be a problem for PVLANs because each virtual machine appears to the physical switch to be in more than one VLAN, or at least, it appears that there is no reply to the request, because the reply travels back in a different VLAN. For this reason, it is a requirement that each physical switch, where ESX with PVLANs are connected, must be PVLAN aware.