Configuring VLANs 655
•
Isolated VLAN
—A secondary VLAN. It carries traffic from isolated ports
to promiscuous ports. Only one isolated VLAN can be configured per
private VLAN.
•
Community VLAN
—A secondary VLAN. It forwards traffic between ports
which belong to the same community and to the promiscuous ports. There
can be multiple community VLANs per private VLAN.
A port may be designated as one of the following types in a private VLAN:
•
Promiscuous port
—A port associated with a primary VLAN that is able to
communicate with all interfaces in the private VLAN, including other
promiscuous ports, community ports and isolated ports.
•
Host port
—A port associated with a secondary VLAN that can either
communicate with the promiscuous ports in the VLAN and with other
ports in the same community (if the secondary VLAN is a community
VLAN) or can communicate only with the promiscuous ports (if the
secondary VLAN is an isolated VLAN).
Private VLANs may be configured across a stack and on physical and port-
channel interfaces.
Private VLAN Usage Scenarios
Private VLANs are typically implemented in a DMZ for security reasons.
Servers in a DMZ are generally not allowed to communicate with each other
but they must communicate to a router, through which they are connected to
the users. Such servers are connected to host ports, and the routers are
attached to promiscuous ports. Then, if one of the servers is compromised,
the intruder cannot use it to attack another server in the same network
segment.
The same traffic isolation can be achieved by assigning each port with a
different VLAN, allocating an IP subnet for each VLAN, and enabling layer 3
routing between them. In a private VLAN domain, on the other hand, all
members can share the common address space of a single subnet, which is
associated with a primary VLAN. So, the advantage of the private VLANs
feature is that it reduces the number of consumed VLANs, improves IP
addressing space utilization, and helps to avoid layer 3 routing.
To Next Page
Loading...
Need help?
General
