Private VLANs
Engineers may architecture VLANs with abounding goals in mind. In abounding cases today, accessories end up in
the aforementioned VLAN aloof based on the concrete locations of the base drops. Aegis is another
motivating agency in VLAN design: accessories in altered VLANs do not eavesdrop anniversary other’s
broadcasts. Additionally, the break of hosts into altered VLANs and subnets requires an
intervening router or multilayer about-face amid the subnets, and these types of accessories typically
provide added able-bodied aegis features.
Regardless of the architecture motivations abaft alignment accessories into VLANs, acceptable architecture practices
typically alarm for the use of a distinct IP subnet per VLAN. In some cases, however, the charge to
increase aegis by amid accessories into abounding baby VLANs conflicts with the architecture ambition of
conserving the use of the accessible IP subnets. The Cisco clandestine VLAN affection addresses this
issue. Clandestine VLANs acquiesce a about-face to abstracted ports as if they were on altered VLANs, while
consuming alone a distinct subnet.
A accepted abode to apparatus clandestine VLANs is in the multitenant offerings of a account provider
(SP). The SP can install a distinct router and a distinct switch. Then, the SP attaches accessories from
multiple barter to the switch. Clandestine VLANs again acquiesce the SP to use alone a distinct subnet for
the accomplished building, amid altered customers’ about-face ports so that they cannot communicate
directly, while acknowledging all barter with a distinct router and switch.
Conceptually, a clandestine VLAN includes the afterward accepted characterizations of how ports
communicate:
■ Ports that charge to acquaint with all devices
■ Ports that charge to acquaint with anniversary other, and with aggregate devices, about routers
■ Ports that charge to acquaint alone with aggregate devices
To abutment anniversary class of accustomed communications, a distinct clandestine VLAN appearance a
primary VLAN and one or added accessory VLANs. The ports in the primary VLAN are
promiscuous in that they can accelerate and accept frames with any added port, including ports
assigned to accessory VLANs. Commonly accessed devices, such as routers and servers, are
placed into the primary VLAN. Added ports, such as chump ports in the SP multitenant
model, attach to one of the accessory VLANs.
Secondary VLANs are either association VLANs or abandoned VLANs. The architect picks the type
based on whether the accessory is allotment of a set of ports that should be accustomed to accelerate frames back
and alternating (community VLAN ports), or whether the accessory anchorage should not be accustomed to allocution to
any added ports besides those on the primary VLAN (isolated VLAN). Table 2-2 summarizes the
behavior of clandestine VLAN communications amid ports.
Private VLAN Communications Amid Ports
Description of Who Can Talk
to Whom
Primary
VLAN Ports
Community
VLAN Ports1
Isolated
VLAN Ports1
Talk to ports in primary VLAN
(promiscuous ports)
Yes Yes Yes
Talk to ports in the same
secondary VLAN (host ports)
N/A2 Yes No
Talks to ports in another
secondary VLAN
N/A2 No No
1Community and abandoned VLANs are accessory VLANs.
2Promiscuous ports, by analogue in the primary VLAN, can allocution to all added ports.