Private VLANs allow you to isolate traffic between virtual machines in the same isolated VLAN. They provide additional security between virtual machines on the same subnet without exhausting VLAN number space.
PVLANs are useful on a DMZ where the server needs to be available to external connections and possibly internal connections, but rarely needs to communicate with the other servers on the DMZ. A PVLAN can be configured to allow the servers to only communicate with the default gateway on the DMZ, denying communication between the servers. If one of the servers was compromised by a hacker, or infected with a virus, the other servers on the DMZ would be safe.
The basic concept behind Private VLANs is to divide an existing VLAN, referred to as the primary VLAN, into one or more separated VLANs, called secondary VLANs.
There are three types of secondary VLANs: Promiscuous, Isolated, and Community.
Virtual machines in a Promiscuous PVLAN are reachable by and can reach any machine in the same primary VLAN. In this example, virtual machines E and F are in promiscuous PVLAN 5, so all virtual machines in PVLAN 5 can communicate with them. When you configure a private VLAN, the vSphere Client automatically creates a promiscuous secondary PVLAN with the same ID as the primary PVLAN ID.
Virtual machines in an Isolated PVLAN can talk to no virtual machines except those in the promiscuous PVLAN. In this example, virtual machines C and D are in isolated PVLAN 155, so they can communicate only with E and F.
Virtual machines in a Community PVLAN can talk to each other and to the virtual machines in the promiscuous PVLAN, but not to any other virtual machine. In this example, virtual machines A and B can talk to each other and to E and F because they are in the promiscuous VLAN. However, they cannot communicate with C or D because they are not in the community.
Traffic in both community and isolated PVLANs travels tagged as the associated secondary PVLAN.
There are a couple of things to note about how vNetwork implements private VLANs.
First, vNetwork does not encapsulate traffic inside private VLANs . In other words, there is no secondary PVLAN encapsulated inside a primary private VLAN packet.
Also, traffic between virtual machines on the same private VLAN but on different ESX or ESXi hosts moves through the physical switch. Therefore, the physical switch must be PVLAN-aware and configured appropriately so that traffic in the secondary PVLANs can reach its destination.
Saturday, September 8, 2012
The Information which you provided is very much useful for Cloud Training Learners Thank You for Sharing Valuable Information.i like this blog and this is very informative.
ReplyDeleteSalesforce Training in Chennai