Overview

Private VLAN (PVLAN) is a technology that divides a VLAN broadcast domain into multiple discrete broadcast subdomains by defining secondary VLANs (community VLANs and an isolated VLAN) inside a primary VLAN, achieving port isolation within a VLAN while sharing a single layer-3 router port and the same IP subnet.

For example, in Figure 1, access-side VLANs are divided into Isolated VLAN and Community VLAN. Community VLAN users can communicate with each other, while Isolated VLAN users are isolated and cannot communicate with each other. However, both Community VLAN users and Isolated VLAN users can access the Primary VLAN where the enterprise servers are located. All of this can be accomplished by deploying PVLAN.

Figure 1. PVLAN Application Diagram

PVLAN has the following characteristics and advantages,

• By deploying PVLANs and configuring isolated VLANs on the access side, it is possible to isolate the traffic of different users in the same VLAN. This improves the network security as well as conserving VLANs.
• As all secondary VLAN users inside a primary VLAN share one IP subnet, PVLAN can be deployed to conserve IP addresses.

PVLAN Concepts and Terminology

PVLAN Types

PVLAN defines two VLAN types: primary VLAN and secondary VLAN. One pair of PVLAN consists of only one primary VLAN and at least one secondary VLAN. One switch can configure multiple pairs of PVLAN.

Note that, secondary VLANs need to be associated with a primary VLAN to form a pair of PVLANs.

• Primary VLAN

Ports within a primary VLAN are connected to the uplink devices, and the corresponding ports are PVLAN promiscuous ports or promiscuous trunk ports. These ports are used to transmit traffic from the promiscuous ports to the host ports and to other promiscuous ports.

A pair of PVLAN has only one primary VLAN.

A primary VLAN can be associated with multiple community VLANs and only one isolated VLAN.

• Secondary VLAN

Ports within a secondary VLAN are connected to the hosts or downlink devices, and the corresponding ports are PVLAN host ports or secondary trunk ports. These ports are used to transmit traffic from hosts to other allowed hosts or to upstream routers.

There are two types of secondary VLANs: Isolated VLAN and Community VLAN.

Secondary VLANs should be configured to associate with a primary VLAN. One secondary VLAN (isolated or community) can be associated with only one primary VLAN.

• Isolated VLAN

An isolated VLAN is a secondary VLAN, which is used to transmit traffic from the hosts toward the promiscuous ports and the gateway. Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Traffic received from an isolated port is forwarded only to promiscuous ports.

A pair of PVLAN can configure not more than one Isolated VLAN.

• Community VLAN

A community VLAN is a secondary VLAN that transmits upstream traffic from the host ports to the promiscuous port gateways and to other host ports in the same community VLAN. Ports within a community VLAN can communicate with each other and the primary VLAN but cannot communicate with ports in other communities at the Layer 2 level or isolated VLAN.

Users can configure multiple community VLANs in a pair of PVLAN.

PVLAN Port Modes

Ethernet interfaces are classified into four PVLAN types depending on the devices connected to them and the way they process the frames.

• PVLAN Host Port

A PVLAN host port connects to a user device. For host mode ports, make sure that their native VLAN is a secondary VLAN, otherwise the ports won’t be able to forward packets from primary VLAN. One host port can be added into only one secondary VLAN.

Packets sent from this port are untagged.

• PVLAN Secondary Trunk Port

A PVLAN secondary trunk port is used to connect to the downstream devices. One secondary trunk port can be added into more than one secondary VLAN. Secondary trunk mode is applicable to scenarios where multiple secondary VLANs need to pass through the downlink port while Host mode is applicable to cases where only one secondary VLAN passes through the downlink port.

The primary VLAN ID carried by the packets is replaced with the corresponding secondary VLAN ID on the outbound side of the secondary trunk mode port, thus masking the primary VLAN for the downstream device. By default, packets sent from this port will be tagged (tagged/untagged can be configured through CLI command).

• PVLAN Promiscuous Port

PVLAN promiscuous ports are used to connect to the uplink devices. Uplinks are typically ports that connect to routers, firewalls, servers or provider networks.

Promiscuous ports belong to the primary VLAN, which can communicate with all PVLAN ports, including host/secondary trunk ports and other promiscuous/promiscuous trunk ports within the same primary VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.

Make sure that the native VLAN of the promiscuous port is the primary VLAN, otherwise the port will not forward packets sent from a secondary VLAN.

Promiscuous port mode is used when there is only one primary VLAN passing through the uplink port. Packets sent from this port are untagged.

• PVLAN Promiscuous Trunk Port

PVLAN promiscuous trunk ports are used to connect to the uplink devices. Promiscuous trunk port mode is used when there are more than one primary VLAN passing through the uplink port.

The secondary VLAN ID carried by the message is replaced with the corresponding primary VLAN ID on the outbound side of the port, thus masking the secondary VLAN for the uplink device. By default, packets sent from this port will be tagged (tagged/untagged can be configured through CLI command).

Communication Restriction between PVLAN Ports

PVLANs limit the Layer 2 communication within a pair of Private VLANs, a port defined in a PVLAN cannot communicate with ports in other pairs of PVLANs or normal VLANs.

The following table summaries the Layer 2 communication restriction between the PVLAN ports.

Configuration Synchronization for PVLAN Port

In order for users in the secondary VLAN to communicate with users in the Primary VLAN, the system synchronizes Private VLAN configurations for the PVLAN ports.

If the PVLAN port has been configured to add to the primary VLAN (or secondary VLAN), the port will be added to the corresponding secondary VLAN (or primary VLAN) based on the following rules while maintaining the original configuration.

• The downlink ports in host mode or secondary trunk mode will be added to the corresponding primary VLAN. The primary VLAN ID carried by the packets is replaced with the corresponding secondary VLAN ID on the outbound side of the port, thus masking the primary VLAN for the downstream device.

Messages sent from the secondary trunk mode ports could be tagged or untagged, which is determined by the tagged/untagged configuration of the secondary VLAN.

• The uplink ports in promiscuous mode or promiscuous trunk mode will be added to the corresponding secondary VLAN. The secondary VLAN ID carried by the packets is replaced with the corresponding primary VLAN ID on the outbound side of the port, thus masking the secondary VLAN for the upstream device.

Messages sent from the promiscuous trunk mode ports could be tagged or untagged, which is determined by the tagged/untagged configuration of the primary VLAN.

The following example illustrates configuration synchronization for PVLAN ports in detail.

Figure 2. Diagram for Configuration Synchronization for PVLAN Ports

To configure the topology shown above:

set vlans vlan-id 2 private-vlan mode isolated
set vlans vlan-id 3 private-vlan mode community
set vlans vlan-id 5 private-vlan mode primary
set vlans vlan-id 5 private-vlan association 2-3
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode pvlan-promiscuous
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 3
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 3
set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 5

The system will synchronize private VLAN configurations for the PVLAN ports after completing the configuration, as shown in the following table.

Users can run the command run show vlans to view the VLAN information. In the output, synchronized VLANs of the PVLAN ports are marked with a (pv).

admin@Xorplus# run show vlans
VlanID  Vlan Name    Tag        Interfaces
------  ------------ --------   ------------------------------------------------------
2       default      untagged   ge-1/1/1, ge-1/1/2, te-1/1/1(pv)
                     tagged    
3       default      untagged   ge-1/1/3, ge-1/1/4, te-1/1/1(pv)
                     tagged    
5       default      untagged   ge-1/1/1(pv), ge-1/1/2(pv), ge-1/1/3(pv), ge-1/1/4(pv)
                     tagged 

MAC Address Duplication

To avoid flooding of packets received from the PVLAN port, PVLAN performs MAC address duplication, including:

• Secondary VLAN to Primary VLAN duplication, that is, MAC addresses dynamically learned or statically configured on ports in the Secondary VLAN are duplicated to the corresponding Primary VLAN.
• Primary VLAN to Secondary VLAN duplication, that is, MAC addresses dynamically learned or statically configured on ports in the Primary VLAN are duplicated to all the corresponding Secondary VLANs.

Note that, for the normal trunk ports between two or multiple switches, MAC addresses dynamically learned or statically configured on ports in the private VLAN will also be duplicated following the rules stated above.

The following example illustrates PVLAN MAC address duplication in detail. 

Figure 3. Diagram for PVLAN MAC Address Duplication

From the topology shown above, the resulting MAC address tables before and after the duplication are shown below.

MAC Address Table Before MAC Duplication

MAC Address Table After MAC Duplication

Users can run the command run show mac-address table to view the MAC address table. In the output, duplicated MAC address entries are marked with a (pv).

admin@Xorplus# run show mac-address table
Total entries in switching table:   7
Static entries in switching table:  0
Dynamic entries in switching table: 7

VLAN    MAC address            Type         Age     Interfaces    User
----      -----------------    ---------    ----    -----------   ----------
5        00:28:28:28:28:28    Dynamic       300     te-1/1/1       xorp     
2        00:28:28:28:28:28    Dynamic(pv)   300     te-1/1/1       xorp    
3        00:28:28:28:28:28    Dynamic(pv)   300     te-1/1/1       xorp   
2        3c:2c:30:84:e0:81    Dynamic       300     ge-1/1/1       xorp   
5        3c:2c:30:84:e0:81    Dynamic(pv)   300     ge-1/1/1       xorp     
3        00:25:25:25:25:25    Dynamic       300     ge-1/1/2       xorp
3        00:25:25:25:25:25    Dynamic(pv)   300     ge-1/1/2       xorp

PVLAN Across Multiple Switches

Users can configure normal trunk ports between two or multiple switches to enable PVLAN cross-device communication.

Figure 4. Diagram for PVLAN Across Multiple Switches

As shown in the topology above, we want to achieve the following:

• Hosts connecting to the same switch or across multiple switches in the same Community VLAN can communicate with each other. In the figure, Host C, Host D, Host G and Host H in the same Community VLAN (VLAN 102) can communicate with each other.
• Hosts connecting to the same switch or across multiple switches in the same Isolated VLAN cannot communicate with each other. In the figure, Host A, Host B, Host E and Host F in the same Isolated VLAN (VLAN 101) cannot communicate with each other.

Besides the basic PVLAN configurations, we have to configure ports Te-1/1/1 and Te-1/1/2 as normal trunk ports, connecting Switch 1 to Switch 2. And then add Te-1/1/1 and Te-1/1/2 to all the private VLAN IDs (VLAN 10, 101 and 102 in this example) and normal VLAN IDs (if have) to carry packets needed to forward through the trunk link.

To configure the topology shown above:

# Switch 1
set vlans vlan-id 10 private-vlan mode primary
set vlans vlan-id 102 private-vlan mode community
set vlans vlan-id 101 private-vlan mode isolated
set vlans vlan-id 10 private-vlan association 101-102
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode trunk
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 101
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 101
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 102
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 102
set interface gigabit-ethernet te-1/1/1 family ethernet-switching vlan members 10
set interface gigabit-ethernet te-1/1/1 family ethernet-switching vlan members 101-102

# Switch 2
set vlans vlan-id 10 private-vlan mode primary
set vlans vlan-id 102 private-vlan mode community
set vlans vlan-id 101 private-vlan mode isolated
set vlans vlan-id 10 private-vlan association 101-102
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host
set interface gigabit-ethernet te-1/1/5 family ethernet-switching port-mode pvlan-promiscuous
set interface gigabit-ethernet te-1/1/2 family ethernet-switching port-mode trunk
set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 101
set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 101
set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 102
set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 102
set interface gigabit-ethernet te-1/1/5 family ethernet-switching native-vlan-id 10
set interface gigabit-ethernet te-1/1/2 family ethernet-switching vlan members 10
set interface gigabit-ethernet te-1/1/2 family ethernet-switching vlan members 101-102

From the configurations above, we can note that PVLAN configurations, as well as the binding configuration of primary VLAN and secondary VLAN need to be consistent on all switches.

Deploy DHCP Snooping with PVLAN

PicOS supports deploying DHCP snooping in a PVLAN topology. Depending on whether the DHCP client and server are on the same PVLAN switch, this section is divided into two parts:

• DHCP Client and Server Deployed on a Single Switch
• DHCP Client and Server Deployed Across Multiple Switches

DHCP Client and DHCP Server Deployed on a Single Switch

In the following PVLAN topology, Switch acts as a user gateway and forwards DHCP messages to the DHCP server, so that DHCP clients Host A, Host B, Host C and Host D can request for IP address lease and other related configuration information from the DHCP server. In order to provide better service to DHCP users, network administrators can configure DHCP Snooping to prevent DHCP attacks.

Figure 5. Diagram for Deploying DHCP Snooping with PVLAN on a Single Switch

In the above topology, besides the basic PVLAN configurations, you need to do the following DHCP snooping configuration to enable DHCP snooping and configure the trust port.

set protocols dhcp snooping vlan 5 disable false
set protocols dhcp snooping trust-port te-1/1/1

DHCP Client and Server Deployed Across Multiple Switches

In the following PVLAN topology, DHCP clients Host A, Host B, Host C, Host D and the DHCP server are deployed across two PVLAN switches.

Figure 6. Diagram for Deploying DHCP Snooping with PVLAN Across Multiple Switches

In this example, you can refer to PVLAN Across Multiple Switches to complete the basic PVLAN configurations. When configuring DHCP snooping, pay attention to the following points:

• Enable DHCP snooping in VLAN 10 on both Switch 1 and Switch 2.
• In addition to configuring port Te-1/1/5 on Switch 2 as a trust port, which is connected to the DHCP server, users also have to configure Te-1/1/1 on Switch 1 as a trust port.