Vlan – Asymmetric VLAN Issue

vlan

Please forgive VLAN noobishness.

I'm trying to segregate traffic on a network using VLANs. I want all users to be able to receive and transmit to the internet, so I have a VLAN for this.

I also have three other VLANs which should only see ports on the same VLAN, plus the internet VLAN. As far as I can see I need to use an asymmetric VLAN arrangement for this.

The problem I seem to be having is that some devices will not see any packets leaving a port that are tagged, while others do.

Ideally, I'd like to set more than one VLAN to be untagged for certain ports, but not all of my switches support this.

I had assumed that the tag would be ignored by any device not looking for tagged frames, but it seems that some just ignore the tagged frames completely, while processing untagged frames normally.

Am I just going to have to fork out for switches that support multiple untagged VLANs exiting a port?

Best Answer

There is a solution that does exactly what you are asking for, but its implementation depends on the vendor. Cisco calls it Private VLANs or PVLANs.

PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

In your case, you would configure 3 communities and one promiscuous port.

Related Topic