Private VLAN is a concept where we can cave multiple VLANS inside on VLAN. It’s a logical separation of a same VLAN.
PVLANS helps us to save no of VLAN ids and ip addresses. Because we can separate same ip subnet into separate portions using PVLANs.
Also this will help us to stop unnecessary communication between virtual machines.
To use VPLAN we need to have distribute switch/es in our VMware environment.
There are three categories in a PLAN as bellows
Promiscuous Primary VLAN –
This is the native vlan for PVLAN and it’s the default one.
We can put all the common devices in this PVLAN(Example LDAP Servers)
Isolated (Secondary) –
VMS in the Isolated PVLAN can only communicate with the promiscuous PVLAn. Even those vms wont communicate with the vms which are inside the same Isolcated PVLAN.
Community (Secondary) –
VMS in the community VLAn can only communicate with the vms in the promiscuous PVLAn and all other vms in the same community PVLAns only.
Use case of PVLAN
Below diagram shows one use case of PVLAN.
- All these servers are in my DMZ area.
- Vm01 and vm02 are my web server frontend and SMTP gateway. Most of the port of these two vms are open to external access.
- Vm03 & vm04 are Application server cluster
- Vm05 & vm06 are my LDAP and DHCP server for DMZ
- Vm01 and 02 doesn’t need to communicate each other. Since I have placed them in to isolate area vm01 cannot communicate with vm02. But vm01 and vm02 can communicate with virtual machine sin promiscuous pvlan segment.(vms)
- Vm03 can communicate with vm04 and all the vms in promiscuous segment.
How to configure PVLAN
To configure PVLANs, our main requirement is to have a vmware distributed switch.To use this feature we need to have a vsphere enterprise plus licenses.
Steps for configure PVLANs.
- Right click on your distributed switch and select edit.
- Select “Private VLAN” tab and enter the primary VLAn ID from left side pane and you can add your secondary PVLANs(Promiscuous,Isolated and Community) from right side pane.
We can have one Promiscuous secondary VLAN, one Isolated VLAN and multiple community VLANs.
- Now we can create port groups and assign private VLANs.
Now we can assign relevant network assignment to virtual machine.