Private VLAN Architecture Explanation:
Service Provider has Ring topology in different area to give connection to internet to there customers, as shown in above diagram. Its a fiber ring connected to aggregation switch to pass the traffic of the customer to internet and before going to internet they also implement Broadband Policy Management (BPM) to control the bandwidth of the customer as per there plans purchased.
From the diagram, ring is connected to three areas but focusing on area 3 only.
Why we need Private VLANs?
- In area 3, all building will be in same subnet IP provided by service provider so only one customer can take a connection to internet and others can share with him or customer ask oters to pay him instead of SP as they are in same subnet. Most importantly, security is weak.
- To increase the security, we have to divide into more VLAN (subnets) so that they can not communicate with each other but making more subnets will be wastage of IPs, more SVI on switches, more processing and CPU cycling. For every home different subnet, huge and complex task for service providers.
- Best solution to this problem is PRIVATE VLANs. Ports cannot communicate with same subnet when private vlan is applied.
PRIVATE VLANs:
Types:
- Promiscuous
- Isolated
- Community
For more details refer: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.pdf
 |
| Communication between Private VLAN types |
Option 1: Only Isolated ports
 |
| Private VLAN - Isolated port |
Service provider puts the switch ports in isolated host so now users in the same building cannot communicate to each other but can communicate to other buildings with the same isolated ports. So, to enhance the security they introduce promiscuous type.
***
Isolation is local to a switch means isolated port vlan cannot communicate with isolated port vlan on the same switch but it can communicate with other switch with same isolated port vlan.
If isolation is local to switch then we can put each building in different isolation vlans but it will make more complex because more users, more SVI on switches. Hence, not a better solution.
Option 2: Isolated and Promiscuous ports
 |
| Promiscuous port associated with Isolated port |
Locally switch ports are isolated but outbound traffic will convert it to promiscuous vlan, so two vlans will be configured primary vlan for isolation which will be associated with secondary vlan for promiscuous which acts as a gateway for the local switch.
Now, security is also enhance and user are divided within same subnet with Private VLANs to connect to Internet. Service Provider is also happy and can give connection as per user requirements.
Option 3: Community and Promiscuous ports
Only differences is few users will be in same community so that they can communicate within the same building but outbound will be promiscuous port to connect to internet.
★CT21
Reference: https://rstforum.net/ (CCNP training)
