Skip to main content

Troubleshooting Private VLANs

Private VLANs or PVLANs provide layer 2 isolation between ports/devices in the same broadcast domain. There are three types of private VLAN ports (or in vSphere, portgroups). The three types are:
Promiscuous— A promiscuous port can communicate with all devices, including the isolated and community ports within the private VLAN.
Isolated— A device in a port group set as Isolated can communicate with devices set as Promiscuous, but not with other isolated devices or community devices. It basically blocks all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community— Community ports can communicate with other devices in the same community and with devices in the promiscuous VLAN. They cannot communicate with devices in other community VLANs or with Isolated ports/devices.
Private VLANs are a feature of the dvSwitch. To create a PVLAN, in the vSphere console browse to the Networking screen then select your dvSwitch. Right click, and edit settings. In the settings window, select the Private VLAN tab:
pvlan1
In the screen shot above, I have already created a Primary private VLAN, which is VLAN 100. To add one, click where it says ‘Enter a private VLAN ID here’ and type the VLAN id.
Once you have created your primary VLAN, you need to configure the secondary VLANs. You can see that the Primary VLAN is automatically set as promiscuous.
pvlan2
For my secondary VLANs I have VLAN 101 as Isolated and VLAN 102 as Community. That is enough to test out the functionality but more community VLANs may be added if required.
Now that the PVLAN is configured on the dvSwitch, we need to create portgroups for each of the VLANs we have used:
pvlan3
And that is it for the configuration. Virtual machines placed in those port groups will obey the rules stated at the beginning of this post. There are a few things to bear in mind when using/configuring PVLANs on dvSwitches:
  • License type must be Enterprise Plus
  • Only available when using a distributed switch
  • The VLANs must already be configured and trunked appropriately to the ESXi hosts as required
  • The PVLAN configuration must also be configured on the physical networking equipment

Use Cases for PVLANs

There are a number of use cases for PVLANs, although they do not seem to be widely adopted as yet, at least when it comes to vSphere. One suitable use case could be a DMZ, where you have common devices (in the promiscuous VLAN) such as routers and firewalls, isolated devices, and community devices such as a web farm. Separating the DMZ network in this way could help improve security without the need for lots of firewall rules and subnets.
Another use case could be with a virtual desktop infrastructure. Commonly, virtual desktops are all part of the same VLAN(s). But do two virtual desktops need to communicate with each other directly? Why not put the VDI desktops in an isolated VLAN?
The same concept could be applied to backup networks. It’s fairly common for VMs to be backed up as though they were physical machines, with an agent installed in the Guest OS. Often, there is a dedicated portgroup/vswitch to which a ‘backup’ vNic is added to for each virtual machine. This results in VMs being able to communicate with one another, over the backup network, when ordinarily vlan separation and firewalls may be preventing this from occurring over their ‘production’ networks. Why not prevent the VMs from communicating directly over the backup network by creating a new PVLAN for backups, with the backup servers in the promiscuous VLAN and the virtual machines in the isolated VLAN.

Useful Links and Resources

http://en.wikipedia.org/wiki/Private_VLAN

Comments

Post a Comment

Popular posts from this blog

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
Post a Comment
Read more
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more
  "Cloud zone insights not available yet, please check after some time" message on Aria Automation https://knowledge.broadcom.com/external/article?articleNumber=314894 Products VMware Aria Suite Issue/Introduction Symptoms: The certificate for Aria operations has been replaced since it was initially added to Aria Automation as an integration. When accessing the Insights pane under  Cloud Assembly  ->  Infrastructure  ->  Cloud Zone  ->  Insights  the following message is displayed:   "Cloud zone insights not available yet, please check after some time." The  /var/log/services-logs/prelude/hcmp-service-app/file-logs/hcmp-service-app.log  file contains ssl errors similar to:   2022-08-25T20:06:43.989Z ERROR hcmp-service [host='hcmp-service-app-xxxxxxx-xxxx' thread='Thread-56' user='' org='<org_id>' trace='<trace_id>' parent='<parent_id>' span='<span_id>'] c.v.a.h.a.common.AlertEnu...
Post a Comment
Read more