3

In a multi tenant switch environment, standard practice is to separate tenants by VLANs. If these tenants need to be on the same address space for any reason, PVLANs are implemented to add separation between tenants while allowing them to all access certain resource (eg router).

My question is, what happens to traffic in a PVLAN when it leaves a PVLAN enabled switch? And what happens if you have a trunk port connecting a core PVLAN aware switch to a non PVLAN aware switch.

Here's a couple of worked scenario examples:

  1. Core switch in a serviced building has a VLAN of 10 with PVLANS 101,102,103. Router sits in VLAN10 as a community member. Ports are provided to tenants with PVLANS 102,102,103. If a tenant connects a non PVLAN aware switch to 103 will it work?

  2. Several VMWare ESX hosts, running a distributed switch (vDS). The vDS is configured with a VLAN for a DMZ of public addresses and then PVLANs within that for each server. Router is on the DMZ VLAN, and hosts can comunicate with it. The switch between the router and the ESX hosts supports VLANS but not explicitly PVLANs, what happens to traffic going between the ESX hosts?

The environment we're working in has a mixture of Cisco 39xx switches and Dell 63xx switches.

SimonJGreen
  • 3,195
  • 5
  • 30
  • 55

1 Answers1

1

Private VLANs only exist on the switches that support them. If you have switches on your network that don't support PVLANs then the devices on that switch will work just fine but will be able to talk to each other freely. Some Cisco switches do support PVLAN trunks so you can connect a non-PVLAN aware switch and it will only be able to access your promiscuous or community ports on your Cisco switch. Be aware that PVLANs protect at layer 2 only and that your router will also need to be configured to block intra-subnet communication.

This article explains PVLANs better than I ever could

resmon6
  • 1,342
  • 6
  • 8