0

Currently we make use of a "VLAN and network per customer" model and NAT. I'm considering building a single routed network and making use of PVLANs to keep customer data separately for the smaller customers.

I'm familiar with PVLAN basic implementation, terminology and meanings however what I don't understand, and can't find any good guides on, is how PVLANs work between switches. For example of the lacking documentation, have a look at Dell's and Cisco's implementation guides on PVLANs.

In my scenario connectivity goes as follows:

Firewall <> Cisco 2960 <> Dell 6348 <> Vmware DVswitch (Currently 4.1, soon 5.0) <> Host

I understand the Firewall would be on a Promiscuous port (Primary VLAN) on the Cisco 2960, and I understand the Hosts would be on an Isolated VLAN on the Vmware DVswitch. My question however is how to I configure the interlinks between these switches to preserve my PVLAN environment? Also as an aside, what happens to traffic in a PVLAN when it hits a non PVLAN aware switch?

Thanks in advance for any advice or pointers!

SimonJGreen
  • 3,195
  • 5
  • 30
  • 55
  • feck. http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml Looks like that 2960 will have to go to start with! – SimonJGreen Oct 31 '12 at 00:05

1 Answers1

2

You have a series of VLAN's that the PVLAN feature is using - the primary, the auxiliary and possibly some number of community VLAN's. The basic mechanism of PVLAN is to map traffic received on isolated ports into the auxiliary VLAN. Traffic found in the aux VLAN is transmitted on the primary when sending to promiscuous hosts. Community VLAN's operate in much the same way.

The interesting part about all of this is that the PVLAN behavior is actually locally implemented on the switch. As such, as long as the primary/aux/community VLAN numbers are consistent, making it work between switches basically consists of making sure all of the appropriate VLAN's are allowed across the trunk. The trunk doesn't need to be specially configured if it's running between switches.

As to PVLAN traffic hitting a non PVLAN switch? If the VLAN's are just switched through to another PVLAN-aware device then it works. If not, then hosts in the primary VLAN will be able to communicate with the promiscuous devices on the PVLAN-aware switch and will be able to send traffic -to- isolated ports, but traffic back from an isolated device won't be delivered.

rnxrx
  • 8,103
  • 3
  • 20
  • 30