Re: Private VLANS

From: Pavel Bykov (slidersv@gmail.com)
Date: Tue Mar 24 2009 - 22:04:02 ART

• Next message: ccie2k4@gmail.com: "Portfast Recommended on Switch to Switch"
• Previous message: Pavel Bykov: "Re: switch security"
• Maybe in reply to: Joe Astorino: "Private VLANS"
• Next in thread: Joe Astorino: "Re: Private VLANS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Normally, you need 4 addresses per cutomer at MINIMUM:

1. network
2. gateway
3. actual custoemr address
4. broadcast.

If you have 5 customers, and each has 3 devices, then you will need 6
addresses per customer, and because the network that matches is .248 then
you'll have 8 addresses per customer, using 40 addresses in total.
But wait, not only you are wasting addresses, but what if your customer
expands beyond 5 devices?

So at the beginning you have:
Customer 1 = 10.0.0.0/29
Customer 2 = 10.0.0.8/29
Customer 3 = 10.0.0.16/29
Customer 4 = 10.0.0.24/29
Customer 5 = 10.0.0.32/29

But customer 2 now has 6 devices! and planning for 7th! So what? are you
going to readdress him? because he will definetely not fit in the assigned
address space.

Enter private vlans

You just assign 10.0.0.0/24 to everyone, and address them as you like.
e.g.:
10.0.0.1 = gateway for all customers
10.0.0.2 = customer 5
10.0.0.3 = customer 2
10.0.0.4 = customer 2
10.0.0.5 = customer 3
10.0.0.6 = customer 1
10.0.0.7 = customer 4
10.0.0.8 = customer 1

But then you assign them to community/isolated VLANs based on if they need
to talk to each other (community) or not (isolated).
They will always be able to talk to default gateway, so you can
limit/restrict their communicatino using standard rules: ACL/FW/etc.

Private VLANs were never about saving VLANs. They were about saving IP
address space, adding manageability, security (preventing direct
communication between customers), and control.

On Sat, Mar 21, 2009 at 9:12 PM, Joe Astorino <joe_astorino@comcast.net>wrote:

> I have a question about private vlans. From what I gather, one of the
> points is to not limit the number of customers you can have to the number of
> vlans.
>
> However, it seems that if you have a customer with more than one device
> that need to talk to each other both those would be assigned to the same
> community vlan.
>
> Now, if you have many customers each with several devices wouldn't each
> need their own community vlan?
>
> If that is the case aren't you still limiting the number of customers to
> the number of vlans you can have? If that is true I don't really get it.
>
> Thanks for any help on this guys!
>
> -Joe A
> "He not busy being born is busy dying" -- Dylan
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>
> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
> 74k/eLaYWYqu7YI=
> =8HMA
> -----END PGP PUBLIC KEY BLOCK-----
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: ccie2k4@gmail.com: "Portfast Recommended on Switch to Switch"
• Previous message: Pavel Bykov: "Re: switch security"
• Maybe in reply to: Joe Astorino: "Private VLANS"
• Next in thread: Joe Astorino: "Re: Private VLANS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART