A bit about private vlan
Quite often, on forums, and other it resources, the phrase slips that vlan (802.1q standard) does not apply to security, as such. In principle, I agree with this proposition, it’s like a dynamic nat, which indirectly, but protects hosts that are in the gray network. Yes, these 2 topics both vlan and nat give rise to holivar. But there is one technology that relates vlan to security to a greater degree, we will talk about it later.
To whom it is interesting I invite under cat.
I will try to tell in my own words. In fact, using this technology, control is performed inside vlan. By controlling the broadcast domain, turning it into sub domains, according to the settings that the network administrator gave. Simply put, there is a switch, there is a network, there is a broadcast domain. We do not want users who are connected to this domain to be able to contact each other. Here our technology is applied. And if you look at the technology itself, then subdomains are organized in the domain.
There are 2 types of vlans in this technology, primary, the main vlan which is taken as the basis and is not private vlans, like the usual one that does not show the id of intra-domain vlans, which belong to the second type of vlans secondary.
Thus, secondary vlans themselves can be of 2 types: Isolated and community, the differences between these concepts are described below.
Summing up, we get the following.
Promiscuous (or Uplink for example in allied telesyn) - traffic transmission mode, used when there is no need to limit availability (the same file server, router or switch). This type refers to primary vlans. And it exchanges traffic both with isolated ones and as mentioned above with vlanes that do not use pvlan technology.
Isolated - just the port that is in an isolated state i.e. It is located in its own domain, and does not have access to other isolated domains, as well as to it. He sees only ports that are in a promiscuous state, used when a host on the network requires special security.
Community - dividing into sub-domains is not one port, but several ports in a separate domain. In other words, hosts in this domain see both their neighbors in the sub-domain and hosts in a promiscuous state, applicable when we do isolation, for example, by department.
I relied more on the concepts of cisco than others. So there are differences in the concepts, but they are similar to the concepts of cisco, and when you get acquainted with the technology from another vendor, I think you will understand what and how.
I’ll say that to implement this technology into the network, it’s necessary to take into account such parameters that pvlan does not support many other technologies, for example, vtp rsapn, voice vlan, etc. ... The
technology is quite interesting, in my opinion, and if you do not find application for it in of my network, I think who did not come across this concept, it will be interesting to get acquainted with an easy description of this technology.
To whom it is interesting I invite under cat.
Private vlan, what is it?
I will try to tell in my own words. In fact, using this technology, control is performed inside vlan. By controlling the broadcast domain, turning it into sub domains, according to the settings that the network administrator gave. Simply put, there is a switch, there is a network, there is a broadcast domain. We do not want users who are connected to this domain to be able to contact each other. Here our technology is applied. And if you look at the technology itself, then subdomains are organized in the domain.
There are 2 types of vlans in this technology, primary, the main vlan which is taken as the basis and is not private vlans, like the usual one that does not show the id of intra-domain vlans, which belong to the second type of vlans secondary.
Thus, secondary vlans themselves can be of 2 types: Isolated and community, the differences between these concepts are described below.
Summing up, we get the following.
Promiscuous (or Uplink for example in allied telesyn) - traffic transmission mode, used when there is no need to limit availability (the same file server, router or switch). This type refers to primary vlans. And it exchanges traffic both with isolated ones and as mentioned above with vlanes that do not use pvlan technology.
Isolated - just the port that is in an isolated state i.e. It is located in its own domain, and does not have access to other isolated domains, as well as to it. He sees only ports that are in a promiscuous state, used when a host on the network requires special security.
Community - dividing into sub-domains is not one port, but several ports in a separate domain. In other words, hosts in this domain see both their neighbors in the sub-domain and hosts in a promiscuous state, applicable when we do isolation, for example, by department.
I relied more on the concepts of cisco than others. So there are differences in the concepts, but they are similar to the concepts of cisco, and when you get acquainted with the technology from another vendor, I think you will understand what and how.
About Application.
I’ll say that to implement this technology into the network, it’s necessary to take into account such parameters that pvlan does not support many other technologies, for example, vtp rsapn, voice vlan, etc. ... The
technology is quite interesting, in my opinion, and if you do not find application for it in of my network, I think who did not come across this concept, it will be interesting to get acquainted with an easy description of this technology.