Introduction<\/h4>\n
In VMM 2012 SP1 you can isolate VM Networks using either traditional VLAN\/PVLANS or, if you are using Windows Server 2012 as your host operating system, you can choose to implement Network Virtualization<\/i>. The latter option addressing the scale limitations associated with a traditional VLANs solution as well as allowing tenants to \u201cbring their own network\u201d or otherwise extend their network into your environment. The diagram at the link below shows each of these options and acts as a reference for the detailed discussion that follows.<\/p>\n
http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=37137<\/a><\/p>\n In Part III \u2013 Network Isolation<\/a>, we covered how to configure your Logical Network for \u201cNo Isolation\u201d in cases where you do not need to separate workloads and what you should do \/ how you should design your logical network solution when you want to use traditional VLANS. In this post, we focus our attention on isolation using PVLANs.<\/p>\n Private Virtual LANs (PVLANS) are often used by Service Providers (Hosters) to work around the scale limitations of VLANS that we discussed in Part III. They essentially allow network administrators to divide a VLAN into a number of separate and isolated<\/i> sub-networks which can then be allocated to individual customers (tenants). PVLANs share the IP subnet that was allocated to the parent VLAN, as you might expect, but, from a security perspective, although hosts connected to different PVLANs still belong to the same IP subnet, they require a router to communicate with each other and with resources on any other network.<\/p>\n A PVLAN consists of a Primary and Secondary VLAN pair \u2013 each machine that is part of a PVLAN pair can be configured in one of three modes as shown below. In Promiscuous<\/b> mode, hosts are on the primary VLAN and are able to communicate directly with resources on the primary VLAN and also the secondary VLAN. In a Community<\/b> mode, the secondary VLAN represents a community. Direct communication is permitted only with hosts in the same community and<\/u> those that are connected to the Primary PVLAN in promiscuous mode. Isolated<\/b> PVLANs are pretty much as described, in that direct communication is permitted only with promiscuous resources that exist in the Primary PVLAN.<\/p>\n<\/div>\n <\/p>\n The Networks Sites page of the Create Logical Network wizard includes a subtle but important difference for PVLANs \u2013 in addition to the primary VLAN, the \u201cAssociated VLANs and IP Subnets\u201d section now contains an additional column Secondary <\/i>VLAN. You should associate each primary VLAN and secondary PVLAN with a Network site within the logical network (as shown below) \u2013 you can define multiple PVLANS in the same Network Site as needed.<\/p>\n<\/div>\n<\/article>\n<\/div>\n <\/p>\n <\/p>\n Note:<\/b> Only one PVLAN can be in isolated mode per primary VLAN and you should take care to ensure that a different primary VLAN ID is used in each<\/i> Network Site you create. The ID you use for the PVLAN, however, may be the same in each site \u2013 in fact using the same ID for the isolated PVLAN is recommended since it ensures consistency and simplifies management.<\/p>\n As before, VM Networks need to be created to allow virtual machines to connect to and use the Logical Network. Each VM Network you create is directly mapped to exactly one<\/u> of the PVLANS that have been defined for that Logical Network. As a result, you can only have as many VM Networks as you have defined PVLANS. The create VM Wizard (below) will display only those PVLANS that have not already been allocated to an existing VM Network. The wizard does not<\/i> offer the option for automatic assignment \u2013 even though the text suggests that this is actually possible.<\/p>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n <\/p>\n To briefly summarize, create a single<\/b> Logical Network to support PVLAN isolation, configured such that \u201csites within the logical network are not connected\u201d and \u201cNetwork sites within the logical network contain Private VLANs\u201d. You should create a Network Site, define primary and secondary VLAN pairs and create VM Networks for each one (as shown below). In our example, we have chosen to designate PVLAN 5 as the isolated PVLAN for consistency across all primary VLANs, your implementation may be different.<\/p>\n<\/div>\n <\/p>\n<\/article>\n<\/div>\n<\/div>\nPVLAN Isolation<\/h4>\n
![\"hyp1\"](\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/hyp1.png\")
<\/a><\/p>\n![\"hyp2\"](\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/hyp2.png\")
<\/a><\/p>\n![\"hyp3\"](\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/hyp3.png\")
<\/a><\/p>\n
![\"hyp4\"](\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/hyp4.png\")
<\/a><\/p>\n![\"hyp5\"](\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/hyp5.png\")
<\/a><\/p>\n<\/article>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"