Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding Private VLANs on EX Series Switches

VLANs limit broadcasts to specified users. Private VLANs (PVLANs) take this concept a step further by limiting communication within the VLAN. PVLANs accomplish this limitation by restricting traffic flows through their member switch ports (which are called “private ports”) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN. The uplink trunk port (or link aggregation group or LAG) is usually connected to a router, firewall, server, or provider network. Each PVLAN typically contains many private ports that communicate only with a single uplink, thereby preventing the ports from communicating with each other. PVLANs provide Layer 2 isolation between ports within the same VLAN, splitting a broadcast domain into multiple isolated broadcast subdomains and essentially putting secondary VLANs inside another primary VLAN.

Just like regular VLANs, PVLANs are isolated on Layer 2 and require one of the following elements to route traffic among them:

• An external router
• A routed VLAN interface (RVI)

PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other. Another typical use for a PVLAN is to provide per-room Internet access in a hotel.

Note: You can configure a PVLAN to span different supported switches. See the EX Series Switch Software Features Overview for a list of switches that support this feature.

This topic explains the following concepts regarding PVLANs on EX Series switches:

Typical Structure and Primary Application of PVLANs

The configured PVLAN becomes the primary domain, and secondary VLANs become subdomains that are nested inside the primary domain. A PVLAN can be created on a single switch or can be configured to span multiple switches. The PVLAN shown in Figure 1 includes one switch, with one primary PVLAN domain and multiple secondary subdomains.

Figure 1: Subdomains in a PVLAN With One Switch

The types of domains are:

• Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.
• Secondary isolated VLAN—VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.
• Secondary interswitch isolated VLAN (shown only in Figure 2)—VLAN used to forward isolated VLAN traffic from one switch to another through PVLAN trunk ports.
• Secondary community VLAN—VLAN used to transport frames among members of a community, which is a subset of users within the VLAN, and to forward frames upstream to the primary VLAN.

For example, Figure 2 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one interswitch isolated domain.

Figure 2: PVLAN Spanning Multiple Switches

Routing Between Isolated and Community VLANs

To route Layer 3 traffic between isolated and community VLANs, you must either connect an external router to a promiscuous port, as shown in Figure 1, or on an EX8200 switch, configure an RVI as shown in Figure 2.

If you choose the RVI option, you must configure one RVI for the primary VLAN on one EX8200 switch in the PVLAN domain. This RVI serves the entire PVLAN domain regardless of if the domain includes one or more switches. After you configure the RVI, Layer 3 packets received by the secondary VLAN interfaces are mapped to and routed by the RVI.

When setting up the RVI, you must also enable proxy Address Resolution Protocol (ARP) so that the RVI can handle ARP requests received by the secondary VLAN interfaces.

PVLANs Use 802.1Q Tags to Identify Packets

When packets are marked with a customer-specific 802.1Q tag, that tag identifies ownership of the packets for any switch or router in the network. Sometimes, 802.1Q tags are needed within PVLANs to keep track of packets from different subdomains. Table 1 indicates when a VLAN 802.1Q tag is needed on the primary VLAN or on secondary VLANs.

PVLANs Use IP Addresses Efficiently

PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In PVLANs, the hosts in all secondary VLANs belong to the same IP subnet because the subnet is allocated to the primary VLAN. Hosts within the secondary VLAN are assigned IP addresses based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet.

PVLANs Use Four Different Ethernet Switch Port Types

PVLANs isolate ports within the same broadcast domain. To do this, different kinds of PVLAN ports are used, with guidelines for different situations:

• Promiscuous port—A promiscuous port is an upstream trunk port connected to a router, firewall, server, or provider network. A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN. A PVLAN typically contains a single promiscuous uplink port. Use a promiscuous port to move traffic between ports in community or isolated VLANs.
• RVI port—On one EX8200 switch in a PVLAN, you can optionally configure one RVI for the primary VLAN. When configured, this RVI routes Layer 3 packets received by isolated and community VLAN interfaces.
• Community port—Community ports communicate among themselves and with their promiscuous ports. Community ports serve only a select group of users. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
• Isolated port—Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports—an isolated port cannot communicate with another isolated port even if these two ports are members of the same isolated VLAN (or interswitch isolated VLAN) domain. Typically, a server, such as a mail server or a backup server, is connected on an isolated port. In a hotel, each room would typically be connected on an isolated port, meaning that room-to-room communication is not possible, but each room can access the Internet on the promiscuous port.
• PVLAN trunk port—A PVLAN trunk port is a trunk port that connects two switches when a PVLAN spans those switches. The PVLAN trunk port is a member of all VLANs within the PVLAN (that is, the primary VLAN, the community VLANs, and the interswitch isolated VLAN). It can communicate with all ports except the isolated ports.

  Communication between a PVLAN trunk port and an isolated port is unidirectional. A PVLAN trunk port’s membership in the interswitch isolated VLAN is egress-only, meaning that incoming traffic on the PVLAN trunk port is never assigned to the interswitch isolated VLAN. An isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port cannot forward packets to an isolated port. Table 2 summarizes whether Layer 2 connectivity exists between the different types of ports.

Note: If you enable no-mac-learning on a primary VLAN, all isolated VLANs (or the interswitch isolated VLAN) in the PVLAN inherit that setting. However, if you want to disable MAC address learning on any community VLANs, you must configure no-mac-learning on each of those VLANs.

Creating a PVLAN

The flowcharts shown in Figure 3 and Figure 4 give you a general idea of the process for creating PVLANs. If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. (In the PVLAN rules, configuring the PVLAN trunk port applies only to a PVLAN that spans multiple switches.)

• The primary VLAN must be a tagged VLAN.
• If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
• If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
• Secondary VLANs and the PVLAN trunk port must be committed on a single commit if MVRP is configured on the PVLAN trunk port.

Note: Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.

Configuring a VLAN on a single switch is relatively simple, as shown in Figure 3.

Figure 3: Configuring a PVLAN on a Single Switch

1. Configure the primary VLAN name and 802.1Q tag.
2. Set no-local-switching on the primary VLAN.
3. Configure the promiscuous trunk port and access ports.
4. Make the promiscuous trunk and access ports members of the primary VLAN.

1. Configure a VLAN using the usual process.
2. Configure access interfaces for the VLAN.
3. Assign a primary VLAN to the community VLAN,

Isolated VLANs are created internally when the isolated VLAN has access interfaces as members and the option no-local-switching is enabled on the primary VLAN.

1. Configure a logical Layer 3 RVI.
2. Enable proxy ARP on the RVI.
3. Assign the primary VLAN to the RVI,

For detailed instructions for creating a PVLAN on a single switch, see Creating a Private VLAN on a Single EX Series Switch (CLI Procedure), and for configuring an RVI, see Configuring a Routed VLAN Interface in a Private VLAN (CLI Procedure).

The procedure for configuring a VLAN on multiple switches is shown in Figure 4.

Figure 4: Configuring a PVLAN on Multiple Switches

1. Configure the primary VLAN name and 802.1Q tag.
2. Set no-local-switching on the primary VLAN.
3. Configure the promiscuous trunk port and access ports.
4. Make the promiscuous trunk and access ports members of the primary VLAN.

1. Configure a VLAN using the usual process.
2. Configure access interfaces for the VLAN.
3. Assign a primary VLAN to the community VLAN,

Isolated VLANs are created internally when two criteria have been met: the VLAN has access interfaces as members and the primary VLAN has the option no-local-switching enabled. If you configure an isolation ID across multiple switches, be sure that you first configure the primary VLAN and the PVLAN trunk port.

802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.

Trunk ports are only needed for multiswitch PVLAN configurations—the trunk port carries traffic from the primary VLAN and all secondary VLANs.

1. Configure a logical Layer 3 RVI.
2. Enable proxy ARP on the RVI.
3. Assign the primary VLAN to the RVI,

For detailed instructions for creating a PVLAN on multiple switches, see Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure), and for configuring an RVI, see Configuring a Routed VLAN Interface in a Private VLAN (CLI Procedure).