Jul 14 HYPERLINK"http://blog.ine.com/2008/07/14/private-vlans-revisited/"\o"PermanentLinktoPrivateVLANsRevisited"PrivateVLANsRevisited HYPERLINK"http://blog.ine.com/2008/07/14/private-vlans-revisited/"\l"comments"\o"Add/ViewComments"62Comments PostedbyHYPERLINK"http://blog.ine.com/?author=5"\o"VisitPetrLapukhov,4xCCIE/CCDE’swebsite"PetrLapukhov,4xCCIE/CCDEinHYPERLINK"http://blog.ine.com/category/ccie-security/advanced-security/"\o"ViewallpostsinAdvancedSecurity"AdvancedSecurity,HYPERLINK"http://blog.ine.com/category/ccie-routing-switching/security/"\o"ViewallpostsinSecurity"Security,HYPERLINK"http://blog.ine.com/category/ccie-routing-switching/switching/"\o"ViewallpostsinSwitching"Switching HYPERLINK"http://twitter.com/share?url=http%3A%2F%2Fblog.ine.com%2F2008%2F07%2F14%2Fprivate-vlans-revisited%2F&via=inetraining&text=Private%20VLANs%20Revisited&related=&lang=en&count=vertical"Tweet Duetothenon-decreasinginteresttothepostaboutPrivateVLANs,Idecidedtomakeanotherone,moredetailed–includingadiagramandverificationtechniques. Introduction Tobeginwith,recallthatVLANisessentiallyabroadcastdomain.PrivateVLANs(PVANs)allowsplittingthedomainintomultipleisolatedbroadcast“subdomains”,introducingsub-VLANsinsideaVLAN.Asweknow,EthernetVLANscannotcommunicatedirectlywitheachother–theyrequireaL3devicetoforwardpacketsbetweenseparatebroadcastdomains.ThesamerestrictionappliestoPVLANS–sincethesubdomainsareisolatedatLevel2,theyneedtocommunicateusinganupperlevel(L3/packetforwarding)device–suchasrouter. Inreality,differentVLANsnormallymaptodifferentIPsubnets.WhenwesplitaVLANusingPVLANs,hostsindifferentPVLANsstillbelongtothesameIPsubnet,yetnowtheyneedtousearouter(L3device)totalktoeachother(forexample,byusingLocalProxyARP).Inturn,theroutermayeitherpermitorforbidcommunicationsbetweensub-VLANsusingaccess-lists.Commonly,theseconfigurationsarisein“shared”environments,sayISPco-location,whereit’sbeneficialtoputmultiplecustomersintothesameIPsubnet,yetprovideagoodlevelofisolationb