The Internetwork Expert blog continues to post excellent information and tutorials. The most recent post concerns private VLANs. This was a topic that confused the hell out of me at first. I read the configuration guide and was completely lost. I eventually got my head around the concept (and have even used them at work). I would have loved to have read this post 9 months ago. 🙂
Private VLAN concepts are quite simple, but Cisco’s implementation and configuration is a bit confusing – with all the “mappings” and “associations”. Here comes a short overview of how private VLANs work.
To begin with, let’s look at the concept of VLAN as a broadcast domain. What Private VLANs (PVANs) do, is split the domain into multiple isolated broadcast subdomains. It’s a simple nesting principle – VLANs inside a VLAN. As we know, Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. The same concept applies to PVLANS – since the subdomains are isolated at level 2, they need to communicate using an upper level (L3 and packet forwarding) entity – such as router. However, there is difference here. Regular VLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but they need to use router (another L3 device) to talk to each other (for example, by means of local Proxy ARP). In turn, router may either permit or forbid communications between sub-VLANs using access-lists.