PVLan Network uplinks

  • 7 May 2015
  • 4 replies

We have a situation where multiple "clients" share the same uplink. For the sake of isolation and ease of recognition, I'd considered moving to PVLans instead of using the same VLAN for all traffic. However, it seems that in order to use PVLans, the port that the translation occurs on has to be untagged. Is this accurate?

Our ideal scenario:
Network VLAN 2 - Internet Traffic
Subscriber VLAN 21 - Client #1 traffic
Subscriber VLAN 22 - Client #2 traffic
Subscriber VLAN 23 - Client #3 traffic
VLAN 3 - Non-internet traffic to ISP
VLAN 4 - Non-internet traffic to ISP
Switch 1:
PVLAN configured
Port 1:1 - Uplink to ISP. Translation port VLAN 2,3,4
Port 1:2 - Link to Switch 2 Non-translation port VLAN 2,21,22,23,3,4
Port 1:3 - Link to Switch 3 Non-translation port VLAN 22,3,4
Switch 2:
PVLAN configured
Port 1:1 - Link to Switch 1 VLAN 2,21,22,23,3,4 non translation port
Port 1:2 - Link to client 1 VLAN 21
Port 1:3 - Link to client 2 VLAN 22
Port 1:4 - Link to client 3 VLAN 23
Port 1:5 - VLAN 3
Port 1:6 - VLAN 4
Switch 3:
No PVLAN configured
Port 1:1 - Link to Switch 1 VLAN 22,3,4
Port 1:2 - Link to client 2 VLAN 22
Port 1:3 - VLAN 3
Port 1:4 - VLAN 4

It appears that this may be better handled by the non-pvlan VLAN translation feature, though then I lose the isolation features.

Am I missing anything here?

4 replies

Userlevel 5

Can you elaborate on how you are currently doing this? Are these currently tagged and you are just aggregating? Have you considered using VMAN's for this?

Userlevel 5

As to your original question, the port where the translation takes place does not need to be untagged. The best place to take a look on how to configure this would be the concept guide. It also provides some examples of how to configure...http://documentation.extremenetworks.com/exos/EXOS_All/VLAN/c_private-vlans.shtml


Currently, all of the ports I want to be tagged 21 and 22 are tagged 2 with no isolation. VLAN 23 is using the non-pvlan VLAN translation on the old switch. I need to move the ISP uplink to a new switch and was hoping to implement this (or something similar) as part of the move.

I thought VMANs were for encapsulating an existing tag within another tag so customer sites could seamlessly talk without having to configure the customer tags on the intermediary network. Since we only provide access to the internet for our "clients", there would be no point where we would decapsulate back to the client tag.

Edit: I hadn't seen your second post when I started replying. In the concepts guide, example #1 they show this:
  1. The final step is to configure VLAN translation on the local switch so that Research VLAN workstations can connect to the file servers on the remote switch:configure (vlan) Main add ports 1:1 private-vlan translated[/code]
It doesn't appear that you can use both "private vlan translated" and "tagged" in the same command, so I was assuming you get one of the other.
To call this done, it appears that the command listed in the concepts guide (conf vlan add port private-vlan translated) does actually add it as a tagged vlan. This doesn't seem very clear in the documentation. Either way, I was able to get what I wanted working to work, so thanks for your help Bill.