Manage private VLAN policies

The IEEE 802.1Q protocol allows devices to use up to 4094 VLAN resources. This cannot meet the requirements of assigning a VLAN to each user for core devices. Traditional switches typically require one VLAN interface per VLAN for VLAN intercommunication. This approach not only consumes a large number of IP addresses but also increases deployment costs and the workload of daily maintenance and management. To address this challenge, private VLAN (PVLAN) technology emerged.

PVLAN divides the Layer 2 broadcast domain of a VLAN into multiple subdomains. Each subdomain contains a pair of VLANs, a primary VLAN and a secondary VLAN. This effectively enhances the efficiency and management flexibility of VLANs.

The primary VLAN acts as an uplink interface to connect to the vSwitches in the cluster. The secondary VLAN acts as a downlink interface to connect to user VMs. This design makes the user VMs within the secondary VLAN transparent to the uplink vSwitch, achieving flexible isolation and access control.

A PVLAN supports isolated ports, community ports, and promiscuous ports (ports in the primary VLAN).

Restrictions and guidelines

VMs configured with intelligent NIC mode, microsegmentation, port mirroring, bridge port, VLAN transparent transmission policy, and VMs with a network type of traffic direction do not support private VLAN policies.
A VLAN ID in a private VLAN policy cannot be the same as the VLAN ID in a port profile, VLAN transparent transmission policy, or port mirroring configuration.
When a VM is using a private VLAN policy, you cannot delete that policy. To delete that private VLAN policy, first disassociate the private VLAN policy from the VM.
Removing an abnormal CVK host does not remove the private VLAN policies configured on that host. If the host recovers and rejoins the management platform, the new private VLAN policies might fail to be deployed to the corresponding VM. To resolve this issue, first clear the private VLAN policy configuration for the VMs and deploy the policies again.
When the only host that uses a private VLAN policy becomes abnormal, you can directly delete that private VLAN policy without detaching that policy from the VMs on that host. To avoid remnant configuration on the host, remove the abnormal host from the system in time.
After VM backup and restoration, VM import/restoration, or VM migration is completed, you must reconfigure a private VLAN policy for the VM.
When you migrate a VM configured with a PVLAN, make sure both the destination and source hosts are connected to the same vSwitch.
For inter-host communication, you must make sure the external physical switch also supports PVLAN and the private VLAN policy configuration is the same as the private VLAN policy configuration on CAS CVM.
Only cluster vSwitches whose network types only include service network support configuring private VLAN policies. You can associate only one private VLAN policy with a cluster vSwitch. Each private VLAN policy supports up to 32 rules, and each rule supports up to 16 isolation VLAN IDs and 16 community VLAN IDs.

Add a private VLAN policy

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click Add.
Configure the parameters as described in “Parameters.”
Click OK.

Add a rule in a private VLAN policy

Perform this task to add rules to a private VLAN policy. A rule contains a primary VLAN and a secondary VLAN. You can add multiple primary VLANs, and each primary VLAN can have multiple secondary VLANs. You can add only one promiscuous secondary VLAN, and can add multiple secondary VLANs of other types. For more information about the types of secondary VLANs, see “Parameters.”

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click the name of a private VLAN policy.
Click Add.
To add a primary VLAN:
1. Click Add in the left.
2. In the window that opens, configure primary VLAN parameters as described in “Parameters,” and then click OK.
To add a secondary VLAN:
1. Click Add in the right.
2. In the window that opens, configure secondary VLAN parameters as described in “Parameters,” and then click OK.
Click Close.

Delete a rule in a private VLAN policy

Perform this task to delete a secondary VLAN in a private VLAN policy. If a community-type or isolated-type secondary VLAN exists in the private VLAN policy, you cannot delete a promiscuous-type VLAN. Before you delete a promiscuous-type VLAN, you must first delete the community-type or isolated-type secondary VLAN.

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click the name of a private VLAN policy.
Click Remove in the Actions column for a private VLAN rule.
In the dialog box that opens, click OK.

Bulk delete rules in a private VLAN policy

Perform this task to bulk delete rules in a private VLAN policy or delete all secondary VLANs of a primary VLAN.

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click the name of a private VLAN policy.
Click Add.
Delete rules:
- To delete all rules in the private VLAN policy, select the target primary VLAN, and then click Remove on top of the primary VLAN list.
- To delete selected rules in the private VLAN policy, select the target secondary VLANs, and then click Remove on top of the secondary VLAN list.
In the dialog box that opens, click OK.

Edit a private VLAN policy

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click Edit in the Actions column for a private VLAN policy.
Edit the description of the private VLAN policy, and then click OK.

Delete a private VLAN policy

Perform this task to delete a private VLAN policy. If a VM is using that policy, you cannot delete it. You must first unbind the VM from the policy and then delete it.

On the top navigation bar, click Security.
From the left navigation pane, select Network Security > Private VLAN Policy.
Click Delete in the Actions column for a private VLAN policy.
In the dialog box that opens, click OK.

Parameters

Private VLAN policy parameters

Name: Specify the name of the private VLAN policy.
Description: Specify the description of the private VLAN policy.
Cluster: Select the cluster to which the private VLAN policy belongs.
vSwitch: Select a pure service network vSwitch in the cluster.

Private VLAN rule parameters

Primary VLAN ID: Specify a primary VLAN ID.
Secondary VLAN ID: Specify a secondary VLAN ID.
Type: Type of the secondary VLAN port. Options are Isolated and Community.
- Promiscuous—Ports of the primary VLAN, which can communicate with all ports, including primary VLAN ports, and isolated ports and community ports.
- Isolated—Ports within the isolated VLAN cannot communicate with each other, and can only communicate with promiscuous ports.
- Community—In a primary VLAN, community ports in the same community VLAN can communicate with each other, and community and promiscuous ports can communicate with each other. However, they cannot communicate with ports in other community VLANs.