Talk:Private VLAN
This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | ||||||||||||||
|
Should this be redirected to Virtual_private_LAN_service? I'm not convinced this is new content here. --Bfigura (talk) 04:05, 12 September 2007 (UTC)
No, VPLS is an MPLS technology that facilitates communication across VPN-like tunnels. Private VLANs are Ethernet features to prevent traffic flow from one host to another on the same VLAN. --jigsaw 04:17, 12 September 2007 (UTC)
- Ok, don't know enough to know myself, hence the request. That and the fact that the creating user (ie, you) has been creating pages really fast, all of which have had a link to (or pdf from) Allied_Telesis. As you have been editing that page heavily, i was a bit suspicious. Thoughts/explanations? --Bfigura (talk) 04:19, 12 September 2007 (UTC)
Well, thanks for the interest, I guess! I checked your diffs and have removed the reference from Private VLAN as it was probably unnecessary to cite it. There is no external reference in MAC except to point to MAC-Forced Forwarding (which seems reasonable to me?). The PDF reference in MACFF is to illustrate how some vendors have used additional features to improve the Private VLAN feature. I intended to search for more examples and add them too to make the article more neutral. --jigsaw 04:31, 12 September 2007 (UTC)
- No issue. It's just occasionally hard to tell good faith contributions from people pushing an agenda. Thanks for tha change --Bfigura (talk) 04:40, 12 September 2007 (UTC)
Merging
[edit]"Private virtual LAN" and "Private VLAN" seems to be synonymous, and thus the two articles with these names should me merged (or link to each other). Note that the page "PVLAN" redirects to Private virtual LAN. Perhaps "Private VLAN" should do the same, as the longer title with "virtual" spelled out is more descriptive.--Nbeier (talk) 14:26, 24 July 2010 (UTC)
- I am redirecting Private virtual LAN here.
- However, what is described in the two articles is not exactly the same. "Private ports" or "protected ports" can coexist with IEEE 802.1Q VLAN tags, i.e. some switches will pass tagged packets between ports. The Cisco proposal described in Private virtual LAN is somewhat different, it is described as "an extension to the virtual LAN (VLAN) standard that adds further segmentation". This issue should be discussed in more detail in this article. -- Petri Krohn (talk) 15:23, 24 July 2010 (UTC)
Comm via uplink
[edit]Petri Krohn (talk · contribs) recently reverted an edit.
The gateway or hosts upstream from the gateway can still provide communications between hosts on the private VLAN. Trivial example: AOL Instant Messenger and two hosts on the private VLAN connecting to the AIM servers. Another trivial example: Two hosts on the private VLAN, in different IP networks, using the uplink gateway to forward IP datagrams/
Whether or not I am a "real expert on the subject" is frankly irrelevant. Comment on the content, not the contributor. If you've got an objection to my interpretation or content, please state it.
—DragonHawk (talk|hist) 15:41, 26 July 2010 (UTC)
- I believe I am an expert on this issue. (I run a small ISP using these technologies.) However I don't really want to use a lot of time on this article, so excuse me for trying to ignore you. However, as you have opened the discussion, I will try to do my best to answer your questions.
- The reason customers on protected ports cannot communicate with each other is not only because of the layer 2 blocking, but also because they are on the same IP subnetwork. As the the PC's etc. are not aware of the arrangement they would not know how to communicate with their neighbors on the same network. They can of course create some VPN tunnel to some external router, but they cannot communicate through the public IP addresses assigned to them. This is why we need MAC-Forced Forwarding or a similar Proxy ARP based solution. Another option is to assign the customers private IP addresses, so lack of communication between these addresses will not pose the same problem. -- Petri Krohn (talk) 19:37, 26 July 2010 (UTC)
- Yes, if two hosts are on the same private VLAN, and they are also on the same IP network, then they won't be able to send IP datagrams directly to each other. (Any host in the same IP network is assumed to be in the same broadcast domain. The sender will attempt an ARP for the destination IP address, which will fail because the switch won't forward ARPs to anyone but the uplink, so the sender never gets an ARP response. Even if a host configured a static ARP entry for another host, the switch still wouldn't forward the resulting frames.)
- However, communication is still possible via other methods, such as the two examples I give above. Stating that communication is not possible, without qualification, is potentially misleading to the reader. As an ISP, I expect you're mainly concerned with one customer screwing up ARP or DHCP for other customers (hijacking, DoS, etc.). Limiting layer 2 forwarding at the switch is certainly effective for that. But from an overall security perspective, communication at higher network layers still counts.
- Do you disagree with this analysis? If so, please explain how. If you're okay with this analysis, I will attempt to explain things better in the article.
- —DragonHawk (talk|hist) 22:20, 26 July 2010 (UTC)
- Yes, I agree. Note however, that the "not possible" in the last paragraph now only refers to "direct communication" between the IP hosts. -- Petri Krohn (talk) 22:38, 26 July 2010 (UTC)
Implementation, Use Cases, Problems and Solutions
[edit]Can I edit this page to include who implements Private VLANs, what are the use cases, Private VLAN problems and solutions for those problems?
Disclaimer: I am at the private vlan business http://marathon-networks.com — Preceding unsigned comment added by Danshtr (talk • contribs) 19:45, 9 February 2013 (UTC)