Filter
Top Products
Chapter 16. Managing Networks and Traffic
200
9. To remove a VPN connection, click the Delete VPN connection button
To restart a VPN connection, click the Reset VPN connection button present in the Details tab.
16.25. Isolation in Advanced Zone Using Private VLAN
Isolation of guest traffic in shared networks can be achieved by using Private VLANs (PVLAN).
PVLANs provide Layer 2 isolation between ports within the same VLAN. In a PVLAN-enabled
shared network, a user VM cannot reach other user VM though they can reach the DHCP server and
gateway, this would in turn allow users to control traffic within a network and help them deploy multiple
applications without communication between application as well as prevent communication with other
users’ VMs.
• Isolate VMs in a shared networks by using Private VLANs.
• Supported on KVM, XenServer, and VMware hypervisors
• PVLAN-enabled shared network can be a part of multiple networks of a guest VM.
16.25.1. About Private VLAN
In an Ethernet switch, a VLAN is a broadcast domain where hosts can establish direct communication
with each another at Layer 2. Private VLAN is designed as an extension of VLAN standard to add
further segmentation of the logical broadcast domain. A regular VLAN is a single broadcast domain,
whereas a private VLAN partitions a larger VLAN broadcast domain into smaller sub-domains. A sub-
domain is represented by a pair of VLANs: a Primary VLAN and a Secondary VLAN. The original
VLAN that is being divided into smaller groups is called Primary, which implies that all VLAN pairs in a
private VLAN share the same Primary VLAN. All the secondary VLANs exist only inside the Primary.
Each Secondary VLAN has a specific VLAN ID associated to it, which differentiates one sub-domain
from another.
Three types of ports exist in a private VLAN domain, which essentially determine the behaviour of the
participating hosts. Each ports will have its own unique set of rules, which regulate a connected host's
ability to communicate with other connected host within the same private VLAN domain. Configure
each host that is part of a PVLAN pair can be by using one of these three port designation:
• Promiscuous: A promiscuous port can communicate with all the interfaces, including the
community and isolated host ports that belong to the secondary VLANs. In Promiscuous mode,
hosts are connected to promiscuous ports and are able to communicate directly with resources on
both primary and secondary VLAN. Routers, DHCP servers, and other trusted devices are typically
attached to promiscuous ports.
• Isolated VLANs: The ports within an isolated VLAN cannot communicate with each other at the
layer-2 level. The hosts that are connected to Isolated ports can directly communicate only with the
Promiscuous resources. If your customer device needs to have access only to a gateway router,
attach it to an isolated port.
• Community VLANs: The ports within a community VLAN can communicate with each other and
with the promiscuous ports, but they cannot communicate with the ports in other communities at the
layer-2 level. In a Community mode, direct communication is permitted only with the hosts in the
same community and those that are connected to the Primary PVLAN in promiscuous mode. If your
customer has two devices that need to be isolated from other customers' devices, but to be able to
communicate among themselves, deploy them in community ports.
For further reading: