Private VLAN divides a VLAN (Primary) into sub-VLANs (Secondary) while keeping existing IP subnet and layer 3 configuration. A regular VLAN is a single broadcast domain, while private VLAN partitions one broadcast domain into multiple smaller broadcast subdomains.
We can configure 3 types of PVLAN in vSphere environment.
It is the primary VLAN and first one created as default. It is the same VLAN we configure on our router and then associate to our ESXi host Virtual Switch. Only one promiscuous Private VLAN per VLAN can be presented at given time. It can communicate to all the interfaces in VLAN (Means can communicate with anyone in the Primary VLAN as well as with community & isolated PVLAN). A common example of Promiscuous VLAN is router and DNS server.
We can create multiple community PVLANs and then configure a group of VMs to use different community PVLAN. It can communicate with Promiscuous PVLAN and the VMs that belong to same community PVLAN.A Common Use case of Community PVLAN is Webserver and DB servers.
We can create only one isolated PVLANs per Primary VLAN and then Configure VMs to use it. With Isolated PVLAN we can isolated the communication between different VMs. In other words VMs in same Isolated PVLAN cannot communicate with each other as well as community PVLAN. But it can communicate with Promiscuous VLAN. A common use case of Isolated PVLAN is Mail Servers, FTP Servers, IPStorage Traffic etc.
There are multiple use cases of the private VLANs.
UseCase1: By default there are 4096 VLAN are available. If your environment is large enough where you need more than 4096 VLAN then PVLAN will be the solution. With PVLAN you can subdivide one VLAN into multiple sub (Secondary) private VLANs.
UseCase2: We can use PVLAN for security purpose as well. What I mean by security here is DMZ. In DMZ Servers need to available for external network and possibly for internal network as well. But rarely needs to communicate with other servers in the DMZ
UseCase3: if you have limited amount of uplinks available in your ESXi host and you want to use multiple VLAN to logical isolate the VMs traffic then PVLAN will be the solution.
Configure the PVLANs
There are few things which you should know before start the configuration of PVLAN.
- PVLAN Feature are only available in vDS and vDS is only available in vSphere Enterprise plus version.
- The uplink which we are going to use in the vSphere vDS for VLAN & PVLAN configuration is connected to a physical Switch. That Physical switch must be configured as trunk port with all VLANs and PVLANs IDs which we will use in our PVLAN Configuration.
Configure PVLANs are two step process.
- Create PVLANs on vDS
- Assign PVLAN to the vDS PortGroup
1-Create PVLAN on vDS
To configure PVLAN from Webclient. From Webclient Home- > Networking -> Select your vDs ->Manage ->Settings-> Private VLAN -> Click “Edit”
Next a dialog box will appear as shown below. Where you can configure you PVLAN. I have no PVLAN Configured yet. It’s all clean as you can see below. To start PVLAN configuration first create/add Primary VLAN Clink “Add”.
Enter your “Primary VLAN ID”. It will automatically create a secondary VLAN with type Promiscuous it is because our Primary VLAN become Promiscuous PVLAN -> to create more PVLAN such as community and Isolated -> Click “Add’
When you click add.it will add a new row than enter your “secondary VLAN ID” and choose the “VLAN Type”
Create more PVLAN if you required. Here is my final snapshot of configured PVLANs -> Click “OK”
You can verify your PVLAN configuration in vDS “Private VLAN setting” Tab as shown below.
Next step is to assign these PVLAN to the Portgroups.
2-Assign PVLAN to the vDS PortGroups
Right Click on the desired vDS PortGroup -> Click “Edit Settings”
In Portgorup setting -> VLAN -> Choose VLAN Type “Private VLAN” -> Select your desired “Private VLAN ID” .As you can see below all the PVLANs are listed in Private VLAN ID dropbox. Which we defined earlier in Step 1
Similarly configure other vDS Portgroups. Where you want to use the PVLANs. When you done with all configuration. Then you should test this.
If you have one or multiple vDS with multiple portGroups that have one or multiple Uplinks. Than make sure all the uplinks physical Switch Ports are configured with VLAN and PVLAN IDs that we have configured above. Every vDS Portgroup has one or more VMs connected on it.
vDS PortGroup Design Layout:
- vDS-VM-1 (Community 10,11) – Connected to VM1
- vDS-VM2 (Community 10,12)-Connected to VM2,VM3
- vDS-VM3-(Isolated 10-21) -Connected to VM4, VM5
- vDS-VM5-(Promiscuous 10,10)-Connected to VM6
Open the console of the VMs and start pining each other. If everything was configured correctly on you’re physical and Virtual infrastructure then your Ping result should be as written below.
Ping Test 1- (VM1 Can only ping VM6 but not able to ping VM2, VM3, VM4, VM5)
Ping Test 2- (VM2, VM3 can ping each other and VM6 but not able to ping VM1, VM4, VM5)
Ping Test 3- (VM4, VM5 cannot ping each other and VM1, VM2, VM3. However they can ping VM6)
Ping Test 4- (VM6 can ping all the VMs as well as other device in that primary VLAN)