Learn about private VLANs and how configuring the incorrect PVLAN type could have undesirable results.
- [Instructor] In this video, I'll explain private VLANs. I'll show you how to configure them, and I'll explain some of the problems that you can run into when you configure a private VLAN incorrectly. Private VLANs are a feature that is supported on the vSphere Distrubuted Switch, and private VLANs can be used to isolate traffic within a VLAN. So, for example, in this diagram, we see seven virtual machines that are all on the same network. They're all on the 10.1.1.0 network.
Now, maybe these virtual machines are owned by different departments or different tenants, and we need to create some isolation between them. All of the virtual machines are in primary VLAN 10, but we've also created secondary VLANs. So, for example, we have primary VLAN 10 and secondary VLAN 110 on the left, and that's an isolated secondary VLAN. So, what that means is virtual machines that are connected to an isolated VLAN will not be able to directly communicate with each-other.
As a matter of fact, VMs that are connected to an isolated secondary VLAN can only communicate with devices that are connected to a promiscuous secondary VLAN. So, if you're going to configure a default gateway, a router, something like that, you want to set that up on a promiscuous secondary VLAN. Now, in them middle, we have two other secondary VLANs, secondary VLAN 111 and 112, and these are community secondary VLANs.
So, what does a community secondary VLAN mean? Well, it's like a community, and devices within that community are allowed to communicate. So, if I have multiple virtual machines in secondary VLAN 111, which is a community secondary VLAN, they'll be allowed to communicate with each-other. However, one community cannot communicate with another community. So, that's the difference between a community secondary VLAN and an isolated secondary VLAN.
In an isolated secondary VLAN, even the virtual machines connected to that same secondary VLAN cannot communicate with each-other, and much like we saw with the isolated secondary VLANs. The community secondary VLAN can communicate with anything that's connected to the promiscuous secondary VLAN. So, why would we do this? Why would we ever deploy private VLANs? Well, maybe we only have a few public addresses and we want to give 'em to different departments or different tenants or something along those lines, but we don't necessarily want to allow those machines to be able to communicate with each-other.
Well, that's a great use case for private VLANs, because you can put all of these machines on the same address range, but you can still restrict communication between them. Now, let's take a look at how we would actually configure this in our lab environment. Okay, so, here we are at the home screen of my vSphere web client. I'm going to go ahead and click on networking, and we're going to start out by modifying our vSphere Distributed Switch. Again, private VLANs are only available if you're using the vSphere Distributed Switch, they are not available on standard virtual switches.
So, under our vSphere Distributed Switch, if we go to manage and settings, we'll see a configuration area for private VLANs, and I'm going to go ahead and add a primary VLAN 10, and I'm going to create some secondary VLANs. So, it automatically creates my promiscuous VLAN for me. I can then go ahead and create, let's say, a community secondary VLAN and an isolated secondary VLAN, and go ahead and hit OK here.
And so, now I've actually configured private VLANs in my vSphere Distributed Switch, and I can apply this configuration to my distributed port groups. So, if I go to a distributed port group, and I go to manage settings and click on edit, I can go down to VLAN and I can choose the VLAN type for this port group is private VLAN, and now I can pick, do I want to put this port group in my promiscuous VLAN, my community VLAN or my isolated VLAN? If I put this port group into my isolated VLAN, that means that all of the virtual machines that I connect to it will not be able to communicate with each-other.
They'll be able to communicate with anything connected to my promiscuous secondary VLAN, but if they're in an isolated secondary VLAN, they will not be able to communicate with each-other, and this is where you can run into some problems. If you have a virtual machine that appears to be isolated from other virtual machines in the same address range, maybe it's configured with an isolated private VLAN. Or, if it can communicate to some devices in that same address range, but not others, maybe it's in a community secondary VLAN.
So, really, there's not a whole lot of problems to troubleshoot here with private VLANs, as long as you understand the impact of your configurations to begin with.
- Using vRealize badges and alerts
- Troubleshooting CPUs for memory contention
- Working with lab environments
- Using performance charts and metrics
- vCenter monitoring, maintenance, and connectivity
- Troubleshooting SSO
- Working with esxtop and installing VMware tools
- ESXi management agents, diagnostics, and host health
- Troubleshooting resource contention
- Creating a vSphere distributed switch
- Working with vMotion, NIOC, PVLAN, DRS, and COMA
- Troubleshooting common upgrade issues
- Troubleshooting clusters
- Configuring an HA network