Design scheme based on PVLAN working principle


With the rapid development of the network, the security requirements of network user communication are getting higher and higher; the traditional solution is to assign each customer a VLAN and related IP subnet. By using VLAN, each customer is from the second layer. Isolated, can prevent any malicious behavior and Ethernet information snooping. However, this model of assigning a single VLAN and IP subnet per customer creates the following limitations: the number of VLANs inherent in the switch; complex STP: For each VLAN, each associated Span?

The topology of the ning tree needs to be managed; the IP address is in short supply: the division of the IP subnet is bound to cause waste of some IP addresses; the limitation of the route: each subnet needs the configuration of the corresponding default gateway. In order to solve the above problem, an advanced VLAN technology--private VLAN (Private VLAN) came into being.

1 PVLAN basic structure

A private VLAN is a VLAN that can provide isolation for different ports in the same VLAN. A VLAN can divide a Layer 2 broadcast domain of a VLAN into multiple subdomains. Each subdomain consists of a pair of VLANs:

Primary VLAN and Secondary VLAN, as shown in Figure 1.

PVLAN structure

Primary VLAN: is the advanced VLAN of the PVLAN. There is only one primary VLAN in each PVLAN. Secondary VLAN: is a sub-VLAN in the PVLAN and is mapped to one primary VLAN. Each access device is connected to the secondary VLAN. The secondary VLAN has the following Two types:

Isolated VLAN: Ports in the same isolated VLAN cannot communicate with each other through Layer 2, and only one isolated VLAN in a private VLAN domain.

Community VLAN: Ports in the same community VLAN can communicate at Layer 2, but cannot communicate with ports in other community VLANs. There can be multiple community VLANs in a private VLAN.

The communication relationship between the components of the PVLAN is shown in Figure 2.

Communication relationship between PVLAN components

In the concept of Private VLAN, there are three switch port types:

Isolated port: Is it an Isolated PVLAN, only with Promis?

Cuous port communication, the Isolated port can not exchange traffic with each other; Community port: belongs to the Community PVLAN, can communicate with the Promiscuous port, can exchange traffic with each other; Promiscuous port: Connect with the router or Layer 3 switch interface, the traffic it receives can be sent to Isolated port and Community port.

The entire VLAN representing a Private VLAN is the Primary VLAN.

The first two types of VLANs need to be bound to it, and it also includes the Promiscuous port.

2 PVLAN working mechanism

The VLAN is dynamically learned according to the target MAC address, VLAN, and switch port to obtain this table for data exchange. The PVLAN adopts two-layer VLAN isolation technology. Only the upper VLANs are visible globally, and the lower VLANs are isolated from each other. It is implemented by MAC address table synchronization technology between the primary VLAN and each secondary VLAN.

As shown in Figure 3, set PVLAN, Vlan10 is the Primary VLAN, and the mapped Secondary VLAN is 2 and 3. The port configuration is shown in Figure 3.

After this configuration, a Vlan will be formed inside the switch? For the port mapping entries, see Table 1.

Primary and secondary VLAN MAC address synchronization technology

SWA VLAN port mapping table

The MAC address synchronization technique has two steps:

(1) The address learned by the secondary VLAN is synchronized to the primary VLAN, and the outbound interface is unchanged through this synchronization. At this time, the MAC address table of the SWB is:

SWB MAC address table

At this time, all the unicast data frames coming from the SWA know the explicit MAC address and the outgoing interface in the SWB, then the downlink unicast will not be unicast and broadcast, and the matching entries will be directly unicast. .

2) The address learned by the primary VLAN is synchronized to the SecondaryVLAN. The outgoing interface remains unchanged:

Outbound interface MAC

At this point, as long as there is an exact SWA MAC address on the PCA, it pings the SWA again, and the packet has an explicit MAC address and outgoing interface on the SWB, so the uplink unicast will not be broadcast by unicast. In this way, regardless of whether the user's data is uplink or downlink, the data transmission avoids broadcasting as much as possible.

3 PVLAN application examples and configuration steps

The application of PVLAN is very effective for ensuring the security of data communication of the access network, and the user only needs to connect with his own default gateway.

A PVLAN does not require multiple VLANs and IP subnets to provide a connection with Layer 2 data communication security. All users access the PVLAN, which enables all users to connect to the default gateway without any access to other users in the PVLAN. The PVLAN function ensures that each port in the same VLAN cannot communicate with each other, but can pass through a trunk port. This way, even users in the same VLAN will not be affected by the broadcast.

Example application background:

Requirements: Hosts A, B, and C are a group that must be able to communicate with each other and can communicate with the gateway and server Z, but cannot communicate with the rest of the hosts in the main Vlan 100; hosts D and E are a group between them. They can't communicate with each other, but they can communicate with the gateway and billing server Z. They can't communicate with other hosts in the main Vlan 100. According to the requirements, the PVLAN technology can be used to design the network topology as shown in Figure 4.

The configuration steps are as follows:

(1) Create each VLAN and declare the VLAN type;

(2) Associate the primary VLAN with each secondary VLAN;

(3) Divide ports for each VLAN;

(4) Auxiliary VLAN mapping primary VLAN Layer 3 interface;

(5) Set the IP address of each terminal and the IP address of the SVI interface of the primary VLAN. On one network segment, the default gateway is the IP address of the SVI interface.

PVLAN application instance

In this way, different users are isolated in the same VLAN layer 2, and communication with other users can only be realized through the gateway, which enhances the security of the access network.

Industry control printed circuit boards (PCB)

1. For industrial control, special or general-purpose circuit board, the bottom circuit is completed, and IO is reserved. After buying the industrial control circuit board, the input and output ports reserved on the circuit board are connected to the user's own device, such as motor, solenoid valves, sensors, thus completing the function want to accomplish.
2. The special circuit board is a board specially designed for a certain function, such as the temperature control circuit board. After buying it, the input port is connected to the thermocouple, and the output port is connected with a heating contactor or a solid state relay to control the heating device to complete the temperature control. There are flow control boards, motion control boards, etc.
3. The universal control board, most of which can be programmed, after the user's own secondary development, completes a specific function, and has a wide range of uses. For example, plc is a general industrial control board. After the user writes the program and compiles the input, various functions can be completed. Digital input, analog input port, high-speed counter port, digital output port, analog output port, and some also have communication function.

Industry Control Circuit Board

Industry Control Pcb,Electronic Control Board,Industrial Controller Circuit Board,Industrial Control Printed Circuit Board

Chuangying Electronics Co.,Ltd ,