Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What is the difference between vlan and privatevlan?

user-image
Question added by Mostafa Abdo , Senior Infrastructure and Security Architect , Devoteam
Date Posted: 2013/10/09
Amir Mohamed
by Amir Mohamed , IT Team Leader , The Xnet Systems

When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnetalthough users are in the same IP subnet (in terms of PVLAN) they can not reach each other through the local network!

If they need to reach each other they should go out and come in to the LAN!

PVLAN is mainly used in ISPs so that they can prevent their customers from accessing each other through the LAN while saving the address space!

If they would use normal VLANs it would need a huge amount of IP addresses to accommodate this goal.

Using PVLANs if you retrieve your IP address while connecting to an ISP you would surprisingly consider that your net mask is like /32 that is strange.

It is a trick you are in a subnet! You can not reach anywhere else on the subnet unless your gateway.

If you want to access other routers residing on your subnet you should access the through internet.

There is another way to accomplish the task of isolation two systems from accessing each other which is called Protected Port! But it is limited to the hosts on the same swich while PVLAN can do it on different switches.

abdalrahman mohmmad
by abdalrahman mohmmad , IT Engineer , mixfm

 different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet

Sajith Kumar
by Sajith Kumar , Lead Trainer / Consultant , Time Technologies .net Pvt. Ltd

Agree with Amir Mohamed . Also would like to add the following;

"KEY thing to remember is that its all about layer2 isolation"

PVLAN Supported Switches eg: Catalyst3560,3750,6500/6000 etc

PVLAN ports cannot be trunk ports cannot be part of a channel group(Etherchannel), no dynamic VLAN membership, and Should not be a Switched Port Analyzer destination.

Types of Private Vlans

1) Promiscuous2) Community &3) Isolated

Protected Port: A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Hence it provides total isolation.

Since traffic cannot be forwarded between protected ports at Layer2. All traffic passing between protected ports must be forwarded through a Layer3 device.

Radu Grigorescu
by Radu Grigorescu , NMS/ITOM Architect , BASF

VLANs normally map to different IP subnets whereas PVLANs belong to the same subnet

MOHD YASIR
by MOHD YASIR , Solution Architect Support , Tech Mahindra ltd

PVLAN Supported Switches eg: Catalyst3560,3750,6500/6000 mean high stander switch

genraly three type of private vlan

1) Promiscuous2) Community &3) Isolated

Promiscuous : can be reached by anyone in the private vlan created port are connected router or gateway

Isolated: can't speek to anyone else in the vlan but can reach the promiscuous port

community port: group of port that can communicate to each other and also with the promiscuous port

 

VLAN :vlan is normally map different ip subnet and supported all switches here basic diifferent that u can remember

(1) catalyst3550 switch are not supported private vlan but vlan supported

(2)vtp client and server mode are not supported private vlan  but VLAN is supported

(3)private vlan is supported only vtp transparent mode but VLAN is supported

overall short and sweat VLAN normaly supported every switches but private vlan has some limitation

please follow and vote me beacuse i have no creadit to ask any question

Fahad M Al Thobaiti
by Fahad M Al Thobaiti , Free Lancer consultant , Free Lancer

PVLAN :

is mainly used in ISPs so that they can prevent their customers from accessing each other through the LAN while saving the address space

 

 VLANs is used on Switch ports and it would need a huge amount of IP addresses to accommodate this goal

Muhammad Anzar
by Muhammad Anzar , DevOps/DevSecOps Architect , Confidential

VLANs

A VLAN is a group of switch ports administratively configured to share the same broadcast domain. L2 switches are not able to forward packets between VLANs. In that case, a L3 switch, also known as Multilayer Switch (MLS), or a router would be necessary.

Granting VLAN membership to devices can be performed using Static VLAN configuration (port based) or by Dynamic VLAN Configuration (device’s MAC address based).

Dynamic VLAN configuration requires the use of Cisco Works and a VLAN Membership Policy Server (VPMS). VPMS stores the client MAC address database which is queried by switches to establish VLAN membership.

Due to its tendency to make troubleshooting process rather awkward, Dynamic VLANs must be used if extremely necessary. Besides, Dynamic VLANs considerably increase the administrative overhead.

The rest of this post will deal with Static VLANs configuration processes only.

Configuring VLANsS in Cisco switches is pretty simple. To achieve that, one would need to perform only two steps:

1.     create the VLAN(s)

2.     associate the correct ports to each VLAN (at this point the VLAN is considered to be “operational”)

 

Private VLANs

Private VLANs (PVLANs) are used mainly by service providers. As explained earlier, VLANs are a set of switch ports which share the same broadcast domain. The practical meaning of this statement is that this group of devices shares the same layer2 domain.

Considering that a frame flowing from a port in a vlan to a port in that same vlan does not transverse any interface boundary, how could one provide selected access to business critical devices from ports that are member of the same VLAN ?

There are two approaches available: VLAN Access Lists (VACLs) and Private VLANs.

 

VACLs are used in enterprise to grant or deny devices’ access to certain ports sharing the same VLAN number. Its configuration process involves setting some vlan access maps, matching conditions and their actions. The last mandatory step is to configure vlan filters that are applied to a set of vlans (or to  a single vlan), based on their number.

More Questions Like This