Hi Guys, i always wondering why would an enterprise run community private vlans.
host in the same community private vlans can talk to other host in the same community vlan and to the promiscious port, so why wouldnt you just create a new regular vlan, and not enable it for routing. Wouldn't it do the same thing.

The only reason i would see running a community pvlan is if it was a patch, and the addressing has already been configured, and people in the same subnet needs to be seperated as a temp fix

I suppose if the adressing scheme is already set, but you need to segregate a cluster of hosts/servers from the rest, you could define community pvlans just for those without re-adressing.

I have a question regarding pvlans and SVIs. If you map a secondary vlan to a primary SVI, does that make the secondary vlan routable? I don't understand why you'd have a private vlan that can communicate with only the primary vlan using layer 3 as opposed to only layer 2. Could someone clear that up?

Just found this regarding community pvlans:

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#vpn_conc

As the VPN client needs access to the server farm, all servers and the link to the concentrator need to use the same pvlan to communicate. What's interesting is the use of an isolated pvlan to the PIX firewall to prevent VPN clients access to the Internet through the company.

I read pvlans are used by service providers to deploy hosting services and network access to devices that exist in the same subnet but only communicate with back up servers, default gateways or outside networks. The reason service providers use pvlans is to reduce use of IP subnets and also to enhance security.

The highest level of the pvlan is the primary vlan.
This primary can have many childen. These children are called secondary vlans.

I have a question regarding pvlans and SVIs. If you map a secondary vlan to a primary SVI, does that make the secondary vlan routable? I don't understand why you'd have a private vlan that can communicate with only the primary vlan using layer 3 as opposed to only layer 2. Could someone clear that up?

I believe it to be for security Fuzz.

Although i could be wrong.

I read pvlans are used by service providers to deploy hosting services and network access to devices that exist in the same subnet but only communicate with back up servers, default gateways or outside networks. The reason service providers use pvlans is to reduce use of IP subnets and also to enhance security.

That explains the reason for isolated pvlans, but customers of ISPs would not be put into the same community pvlan as they don't need to communicate with each other.

As for my other question, I don't get why you need to have layer 3 switching mapped to an SVI when the secondary pvlan can only communicate with the primary vlan on the same local switch, when surely layer 2 switching will accomplish the same thing.

That explains the reason for isolated pvlans, but customers of ISPs would not be put into the same community pvlan as they don't need to communicate with each other.

As for my other question, I don't get why you need to have layer 3 switching mapped to an SVI when the secondary pvlan can only communicate with the primary vlan on the same local switch, when surely layer 2 switching will accomplish the same thing.


when making a primary and secondary vlan, the Vlans numbers are different, therefore you need to have a layer 3 device to route between those two vlans.. But it may be something im looking over.. I have to go back to my BCMSN studies and review this concept.