Beruflich Dokumente
Kultur Dokumente
Introduction
Background Theory
A private VLAN is a VLAN you configure to have Layer 2 isolation from
other ports within the same private VLAN. Ports belonging to a private
VLAN are associated with a common set of supporting VLANs that are used
to create the private VLAN structure.
There are three types of private VLAN ports: promiscuous, isolated, and
community.
•A promiscuous port communicates with all other private VLAN ports and is
the port you use to communicate with routers, backup servers, and
administrative workstations.
Privacy is granted at the Layer 2 level because the switch blocks outgoing
traffic to all isolated ports. You assign all isolated ports to an isolated VLAN
where this hardware function occurs. Traffic received from an isolated port
is forwarded to all promiscuous ports only.
RFC 5517 defines PVLANs theory and operations and is suggested for
reading to get a good understanding of the concepts behind PVLANs -
http://tools.ietf.org/html/rfc5517
Configuration
For this example, the following VLAN’s will be used.
Primary VLAN – 40
UCS Configuration
Create the Primary VLAN (VLAN 40 in this example) in the VLAN tab
Similarly create the Secondary VLAN (VLAN 400 in this example) and
associate it with the Primary VLAN
Creating vNIC for a blade running bare metal OS (Linux/Windows) is
straight forward as the isolated VLAN needs to be chosen and set as the
Native VLAN. Fabric Failover can be enabled if required and supported by
the adapter in the blade to which the Service Profile will be assigned.
Creating vNICs for an ESX host is different and usually requires trunks
extended to the blade. As mentioned earlier, PVLANs and regular VLANs
cannot be extended on the same vNIC and also a VNIC can only have one
isolated VLAN.
This implies that a vNIC needs to be defined just to carry the isolated VLAN
to the ESX blade running Nexus 1000v.
In case of the other adapters (82598KR, M61KR, M72KR E/Q and M51KR)
which do not support Fabric Failover, private VLANs are not feasible with
the Nexus 1000v if redundancy is required as the 2 available vNICs need
to be configured to back each other up.
private-vlan primary
vlan 400
private-vlan isolated
switchport
end
private-vlan primary
vlan 400
private-vlan isolated
Define the uplink port profile which will be assigned to the pNIC
port-profile type ethernet pv-lan
vmware port-group
state enabled
Define the veth port profile which the VM’s will consume
port-profile type vethernet vms
vmware port-group
no shutdown
state enabled
VMware DVS does not give the option to configure native VLAN on uplinks
and hence PVLANs with DVS and UCS are currently not supported.