Using Private VLANs
The private VLAN (PVLAN) mechanism enables you to divide a regular VLAN into sub-VLANs to isolate network traffic. The PVLAN mechanism is defined in RFC 5517. Usually, a regular VLAN is a single broadcast domain, but when configured with PVLAN properties, the single broadcast domain is partitioned into smaller broadcast subdomains while keeping the existing Layer 3 configuration. When you configure a PVLAN, the regular VLAN is called the primary VLAN and the sub-VLANs are called secondary VLANs.
When two virtual networks use the same VLAN ID on a physical link, all broadcast traffic is passed between the two virtual networks. However, when you create virtual networks that use PVLAN properties, the packet-forwarding behavior might not apply to all situations.
The following table shows the broadcast packet-forwarding rules for isolated and community PVLANs.
|
For example, when both the vnet0 and vnet1 virtual networks are isolated on the net0 network, net0 does not pass broadcast traffic between the two virtual networks. However, when the net0 network receives traffic from an isolated VLAN, the traffic is not passed to the isolated ports that are related to the VLAN. This situation occurs because the isolated virtual network accepts only traffic from the primary VLAN.
The inter-vnet-links feature supports the communication restrictions of isolated and community PVLANs. Inter-vnet-links are disabled for isolated PVLANs and are enabled only for virtual networks that are in the same community for community PVLANs. Direct traffic from other virtual networks outside of the community is not permitted.
Note - If a target service domain does not support the PVLAN feature, the migration of a guest domain that is configured for PVLAN might fail.
PVLAN Requirements
You can configure PVLANs by using the ldm add-vnet and ldm set-vnet commands. Use these commands to set the pvlan property. Note that you must also specify the pvid property to successfully configure the PVLAN.
This feature requires at least the Oracle Solaris 11.2 SRU 4 OS.
Primary VLAN ID. The primary VLAN ID is the port VLAN ID (PVID) that is used to configure a PVLAN for a single virtual network device. This configuration ensures that a guest domain does receive VLAN packets. Note that you cannot configure VIDs with a PVLAN. This value is represented by the pvid property.
Secondary VLAN ID. A secondary VLAN ID is used by a particular VLAN to provide PVLAN functionality. You specify this information as the secondary-vid part of the pvlan value. secondary-vid is an integer value in the range of 1-4094. A primary VLAN can have many secondary VLANs with the following restrictions:
Neither the primary VLAN ID nor the secondary VLAN ID can be the same as the default VLAN ID.
The primary VLAN ID and the secondary VLAN ID cannot have the same values for both isolated and community PVLAN types.
Each primary VLAN can configure only one isolated PVLAN. So, you cannot create two isolated PVLANs that use the same primary VLAN ID.
A primary VLAN can have multiple community VLANs with the following restrictions:
A primary VLAN ID cannot be used as secondary VLAN ID create another community PVLAN.
For example, if you have a community PVLAN with a primary VLAN ID of 3 and a secondary VLAN ID of 100, you cannot create another community PVLAN that uses 3 as the secondary VLAN ID.
A secondary VLAN ID cannot be used as primary VLAN ID to create a community PVLAN.
For example, if you have a community PVLAN with a primary VLAN ID of 3 and a secondary VLAN ID of 100, you cannot create another community PVLAN that uses 100 as the primary VLAN ID.
The secondary VLAN ID cannot already be used as a VLAN ID for regular virtual networks or VNICs.
Caution - The Logical Domains Manager can validate only the configuration of the virtual networks on a particular virtual switch. If a PVLAN configuration is set up for Oracle Solaris VNICs on the same back-end device, ensure that the same requirements are met across all VNICs and virtual networks.
PVLAN type. You specify this information as the pvlan-type part of the pvlan value. pvlan-type is one of the following values:
isolated. The ports that are associated with an isolated PVLAN are isolated from all of the peer virtual networks and Oracle Solaris virtual NICs on the back-end network device. The packets reach only the external network based on the values you specified for the PVLAN.
community. The ports that are associated with a community PVLAN can communicate with other ports that are in the same community PVLAN but are isolated from all other ports. The packets reach the external network based on the values you specified for the PVLAN.
To configure a PVLAN, you must specify the following information:
Configuring PVLANs
This section includes tasks that describes how to create PVLANs and list information about PVLANs.
Creating a PVLAN
You can configure a PVLAN by setting the pvlan property value by using the ldm add-vnet or ldm set-vnet command. See the ldm(1M) man page.
Use ldm add-vnet to create a PVLAN:
ldm add-vnet pvid=port-VLAN-ID pvlan=secondary-vid,pvlan-type \ if-name vswitch-name domain-name
The following command shows how to create a virtual network with a PVLAN that has a primary vlan-id of 4, a secondary vlan-id of 200, and a pvlan-type of isolated.
primary# ldm add-vnet pvid=4 pvlan=200,isolated vnet1 primary-vsw0 ldg1
Use ldm set-vnet to create a PVLAN:
ldm set-vnet pvid=port-VLAN-ID pvlan=secondary-vid,pvlan-type if-name domain-name
The following command shows how to create a virtual network with a PVLAN that has a primary vlan-id of 3, a secondary vlan-id of 300, and a pvlan-type of community.
primary# ldm add-vnet pvid=3 pvlan=300,community vnet1 primary-vsw0 ldg1
Use ldm set-vnet to remove a PVLAN:
ldm set-vnet pvlan= if-name vswitch-name domain-name
The following command removes the PVLAN configuration for the vnet0 virtual network. The result of this command is that the specified virtual network is a regular VLAN that uses the vlan-id that you specified when you configured the PVLAN.
primary# ldm set-vnet pvlan= vnet0 primary-vsw0 ldg1
You can use the following commands to create or remove a PVLAN:
Viewing PVLAN Information
You can view information about a PVLAN by using several of the Logical Domains Manager listing subcommands. See the ldm(1M) man page.
Use ldm list-domain -o network to list PVLAN information:
ldm list-domain [-e] [-l] -o network [-p] [domain-name...]
The following ldm list-domain command shows information about the PVLAN configuration on the ldg1 domain.
primary# ldm list-domain -o network ldg1 NAME ldg1 MAC 00:14:4f:fa:bf:0f NETWORK NAME SERVICE ID DEVICE MAC vnet0 primary-vsw0@primary 0 network@0 00:14:4f:f8:03:ed MODE PVID VID MTU MAXBW LINKPROP 1 3 1500 1700 PVLAN : 200,communityThe following ldm list-domain command shows PVLAN configuration information in a parseable form for the ldg1 domain.
primary# ldm list-domain -o network -p ldg1 VERSION 1.13 DOMAIN|name=ldg1| MAC|mac-addr=00:14:4f:fa:bf:0f VNET|name=vnet0|dev=network@0|service=primary-vsw0@primary |mac-addr=00:14:4f:f8:03:ed|mode=|pvid=1|vid=3|mtu=1500|linkprop=|id=0 |alt-mac-addrs=|maxbw=1700|protect=|priority=|cos=|pvlan=200,community
The following examples show information about PVLAN configuration on the ldg1 domain by using the ldm list-domain -o network command.
Use ldm list-bindings to list PVLAN information:
ldm list-bindings [-e] [-p] [domain-name...]
The following ldm list-bindings command shows information about the PVLAN configuration on the ldg1 domain.
primary# ldm list-bindings ... NETWORK NAME SERVICE ID DEVICE MAC vnet0 primary-vsw0@primary 0 network@0 00:14:4f:f8:03:ed MODE PVID VID MTU MAXBW LINKPROP 1 3 1500 1700 PVLAN :200,community PEER MAC MODE PVID VID MTU MAXBW LINKPROP primary-vsw0@primary 00:14:4f:f8:fe:5e 1The following ldm list-bindings command shows PVLAN configuration information in a parseable form for the ldg1 domain.
primary# ldm list-bindings -p ... VNET|name=vnet0|dev=network@0|service=primary-vsw0@primary |mac-addr=00:14:4f:f8:03:ed|mode=|pvid=1|vid=3|mtu=1500|linkprop= |id=0|alt-mac-addrs=|maxbw=1700|protect=|priority=|cos=|pvlan=200,community |peer=primary-vsw0@primary|mac-addr=00:14:4f:f8:fe:5e|mode=|pvid=1|vid= |mtu=1500|maxbw=
The following examples show information about PVLAN configuration on the ldg1 domain by using the ldm list-bindingsnetwork command.
Use ldm list-constraints to list PVLAN information:
ldm list-constraints [-x] [domain-name...]
The following shows the output generated by running the ldm list-constraints command:
primary# ldm list-constraints -x ldg1 ... <Section xsi:type="ovf:VirtualHardwareSection_Type"> <Item> <rasd:OtherResourceType>network</rasd:OtherResourceType> <rasd:Address>auto-allocated</rasd:Address> <gprop:GenericProperty key="vnet_name">vnet0</gprop:GenericProperty> <gprop:GenericProperty key="service_name">primary-vsw0</gprop:GenericProperty> <gprop:GenericProperty key="pvid">1</gprop:GenericProperty> <gprop:GenericProperty key="vid">3</gprop:GenericProperty> <gprop:GenericProperty key="pvlan">200,community</gprop:GenericProperty> <gprop:GenericProperty key="maxbw">1700000000</gprop:GenericProperty> <gprop:GenericProperty key="device">network@0</gprop:GenericProperty> <gprop:GenericProperty key="id">0</gprop:GenericProperty> </Item>
You can use the following commands to view PVLAN information.