Private VLANs

Virtual Local Area Networks (VLANs), has been around for a long time. They are essentially a broadcast domain where all hosts can be connected to a single switch, but are petitioned out to different domains, so we can separate the hosts out according to which host can see others via broadcasts. The reality is that most of the time, VLANs are mapped out to IP subnets. For example, in an enterprise building, I would likely have one IP subnet per physical floor, 192.168.1.0/24 for the first floor, 192.168.2.0/24 for the second floor. In this pattern, we use 1 /24 block for each floor. This gives a clear delineation of my physical network as well as my logical network. All hosts wanting to communicate beyond its own subnet will need to traverse through its layer 3 gateway, where I can use an access list to enforce security.

What happens when different departments resides on the same floor? Perhaps the finance and sales teams are both on the second floor, and I would not want the sales team's hosts in the same broadcast domain as the finance team's. I can further break the subnet down more, but that might become tedious and breaks the standard subnet scheme that was previously set up. This is a where private VLAN can help.

The private VLAN essentially breaks up the existing VLAN into sub-VLANs. There are three categories within a private VLAN:

  • The Promiscuous (P) port: This port is allowed to send and receive layer 2 frames from any other port on the VLAN; this usually belongs to the port connecting to the layer 3 router
  • The Isolated (I) port: This port is only allowed to communicated with P ports, ang they are typically connected to hosts when you do not want it to communicate with other hosts in the same VLAN.
  • The Community (C) port: They are allowed to communicate with other C ports in the same community and P ports

We can again use Ansible or any of the other Python scripts introduced so far to accomplish this task. By now, we should have enough practice and confidence to implement this feature if needed using automation, so I will not repeat the steps here. Being aware of the private VLAN feature would come in handy at times when you need to isolate ports even further in a L2 VLAN.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.149.241.250