topic Re: Private vlan with fabric attach in Network Architecture & Design

Private vlan with fabric attach

SimoneZ — Wed, 28 Aug 2024 10:12:54 GMT

Hello,

we want to deploy private vlans in our fabric attach infrastructure, in order to limit the traffic in the same subnet.

All the endpoints are connected to access switches (that are in SwitchEngine/EXOS), while core switches are used only as distribution layer.

For EXOS, I had this link as a reference

https://documentation.extremenetworks.com/exos_30.4/GUID-56B81F2C-8A3B-4303-A212-92322613EFAA.shtml

Where it is possible to extend the private vlans between switches. My question is, which configuration is needed on backbone switches (fabric engine), to extend the private vlans between access switches?

Re: Private vlan with fabric attach

Ludovico_Steven — Thu, 29 Aug 2024 12:42:45 GMT

Private VLANs (PVLANs) are always defined using 2 VLAN-ids, a primary & secondary (and additional VLAN-ids if implemented with PVLAN communities which EXOS supports but VOSS does not).

If you want to extend a PVLAN between 2 switches, you always need to trunk all those VLAN-ids between the 2 switches. On VOSS the port can be configured as private-vlan isolated|promiscuous|trunk; trunk is what you need.

Now, if you have Fabric Engine/VOSS in the core/distribution but Switch Engine/EXOS as the access, you are most likely using Fabric Attach (FA) between the two. And there's the problem, FA was never designed to handle PVLANs. FA TLVs can only signal a single VLAN-id associated to an I-SID and cannot signal PVLAN vs. regular VLAN.

If you want to use PVLANs in such a setup you will need to do away with FA and manually configure your Switch Engine/EXOS, at both ends. The PVLAN will also need to be configured manually on all switches (XIQ-SE has no PVLAN support).

A better approach, if you have universal hardware, is to go completely fabric to the edge, and run Fabric Engine on you access switches as well. Now you can have the PVLAN only created on these (the creation and assignment to access ports as well as I-SID association can be fully automated via RADIUS VSA, this XIQ-SE can do) and in fabric a PVLAN with an I-SID assigned becomes an ETREE service which can be extended anywhere else in the fabric (no need to set any ports to trunk mode, no need for FA).

Re: Private vlan with fabric attach

SimoneZ — Fri, 30 Aug 2024 12:31:46 GMT

Hi Ludovico,

thanks for your answer. Very interesting. I will set up a lab and try what you said. Since the goal is to limit traffic in the same subnet, could another approach be to configure policies in XIQ-SE specifying services to allow and not and push them to EXOS switches? Are there any limitation for this feature with EXOS switches (except TCAM limitations)?

Re: Private vlan with fabric attach

Myra1 — Sun, 10 Nov 2024 17:14:20 GMT

To set up a Private VLAN (PVLAN) with Fabric Attach, integrating a context like "Animesuge" for easier understanding, let's break down the basics: Private VLAN (PVLAN): A PVLAN is used in network segmentation to isolate traffic within the same VLAN, allowing for more secure and efficient traffic management. It consists of primary and secondary VLANs, where the secondary VLANs are either isolated or community VLANs, offering different levels of isolation among devices. Fabric Attach: This is a network automation protocol often used in Software Defined Networking (SDN) to simplify the deployment of network services. With Fabric Attach, the network automatically assigns VLANs and other configurations to connected devices, making network setup faster and less error-prone. Using Animesuge as an Example Context: Imagine Animesuge needs to isolate its servers (database, content delivery, web servers) for security while still being part of a larger network. By setting up a PVLAN, you can place each server type into isolated or community VLANs. Using Fabric Attach would then allow these servers to be dynamically assigned to the correct VLANs as they come online or change location within the network, enhancing both security and management efficiency.

Re: Private vlan with fabric attach

Richard13 — Sun, 17 Nov 2024 17:22:08 GMT

A Private VLAN (PVLAN) with Fabric Attach is a networking concept that combines the isolation benefits of private VLANs with the automated provisioning and configuration capabilities of Fabric Attach in modern network architectures.

Private VLAN Overview

Purpose: Used to enhance security and limit broadcast domains in a larger VLAN by subdividing it into smaller, isolated groups.
Types of Ports in PVLAN:
- Promiscuous Ports: Can communicate with all other ports in the PVLAN.
- Isolated Ports: Can only communicate with promiscuous ports, not with other isolated or community ports.
- Community Ports: Can communicate with other community ports and promiscuous ports but not with isolated ports.

Fabric Attach Overview

Purpose: Simplifies the deployment of VLANs, PVLANs, and other network services by automating their configuration through dynamic signaling mechanisms.
Key Features:
- Auto-discovery of VLANs and PVLAN configurations.
- Integration with management platforms like IEEE 802.1Qbg (Edge Virtual Bridging) for network virtualization.
- Simplified scaling for complex network architectures.
- Visit for more information: https://aniwave.com.pl/

Re: Private vlan with fabric attach

Leslie11 — Sun, 24 Nov 2024 07:41:08 GMT

Private VLAN with Fabric Attach: Overview and Explanation

Private VLANs (PVLANs) are an advanced VLAN feature that provides enhanced network isolation and segmentation within a single VLAN domain. They allow for granular traffic control between devices in the same VLAN, supporting security and scalability. Fabric Attach (FA), on the other hand, is an automated network provisioning protocol designed to simplify the deployment of services like VLANs or PVLANs in complex networks.

How Private VLANs Work

Primary VLAN: Acts as the overarching VLAN where all devices are associated.
Secondary VLANs: Subdivided into:
- Isolated VLANs: Devices can only communicate with the promiscuous port (typically connected to a router or gateway) and not with each other.
- Community VLANs: Devices within the same community can communicate but are isolated from other communities and isolated VLANs. Visit: https://zoroxtv.mom/

Re: Private vlan with fabric attach

Ludovico_Steven — Mon, 25 Nov 2024 14:52:38 GMT

If you deploy FabricEngine to the access, you can use PVLANs, and you can use RADIUS authentication (MAC based or 802.1X) to automatically place a user/device in the PVLAN of choice. These PVLANs will have L2 I-SID associated, so the PVLAN can easily span the entire fabric if needed. But note that Fabric Engine does not support PVLAN Community VLAN ids; all you have is the primary and secondary VLAN ids, for isolated and promiscuous users.

Switch Engine also supports PVLANs, including the PVLAN Communities. But if you are using Switch Engine FA Proxy access off a Fabric Engine Fabric FA Server(s), then PVLANs cannot be used, as Fabric Attach signalling can only signal 1 VID per I-SID. You would have to disable FA between the Switch Engine and the Fabric Engine, and q-tag trunk all the PVLANs manually.

Re: Private vlan with fabric attach

Richard13 — Wed, 07 May 2025 08:16:39 GMT

To extend Private VLANs (PVLANs) across switches in your Fabric Attach infrastructure, where access switches run SwitchEngine/EXOS and core switches are acting as the distribution layer with Fabric Engine (VOSS), you need to consider how to preserve the isolation and forwarding behavior of PVLANs across the fabric.

Use PVLANs to isolate traffic within the same subnet.
Extend those PVLANs between access switches.
Use the Fabric Engine (VOSS) switches purely for transport, no direct endpoint connections or visit us: https://ds4-windows.us/

Re: Private vlan with fabric attach

Richard13 — Mon, 11 Aug 2025 07:36:10 GMT

Hello,

We’re planning to deploy Private VLANs within our Fabric Attach environment to limit intra-subnet traffic between endpoints.

In our topology, all endpoints are connected to access switches running EXOS (SwitchEngine), while the core switches are purely acting as a distribution layer. https://izleinatboxapk.com.tr/

I’ve reviewed the EXOS documentation here:

From what I understand, EXOS can extend Private VLANs between switches. My question is: in a Fabric Engine backbone scenario, what configuration is required on the distribution (core) switches to successfully carry and extend Private VLANs between access switches?

Thanks in advance for any guidance.

Re: Private vlan with fabric attach

Richard13 — Fri, 29 Aug 2025 19:27:23 GMT

your approach makes sense — private VLANs are a good way to reduce unnecessary east–west traffic within the same subnet. On EXOS, as you already saw in the documentation, you can map isolated/community ports to a primary VLAN and extend them across switches.

In a fabric attach scenario, the key point is that the backbone (Fabric Engine) doesn’t need to understand the private VLAN logic itself. Instead, it only needs to transport the VLAN(s) as services across the fabric. The private VLAN relationship (primary + secondary mapping) is maintained at the access/edge switches where the endpoints connect. B9 Game