tagged with as the default. You use the previous configuration when you need
different VLAN IDs for the various virtual machines and management OS. The only
exception to this is when using RDMA and utilizing traffic-class tagging with Data
Center Bridging (DCB). While the specification indicates that traffic-class tagging
without a VLAN is legal, many switches do not support this and require a VLAN tag.
Therefore, if you plan to use RDMA with traffic tagging, you should use a tagged
configuration and specific VLANs.
PVLANs
With all of the scalability limitations of VLANs, you may wonder how large
organizations and hosters specifically handle thousands of clients. This is where
private VLANs (PVLANs) are a key feature. Through the use of only two VLAN IDs
that are paired, PVLANs enable huge numbers of environments to remain isolated
from each other.
PVLANs enable three modes, as shown in Figure 3.10: isolated, community, and
promiscuous. The primary mode used with PVLANs is isolated; no direct
communication is possible between hosts that are in isolated mode, but they can talk
to their gateway and therefore out to the Internet and other promiscuous resources.
This mode is useful if there are many tenants that have only one host/VM each. Think
about that large hosting company that hosts millions of VMs that don’t need to
communicate with each other, or a hotel with 1,000 rooms. Also consider many
workloads behind a load balancer that don’t need to communicate with each other.
Using PVLANs stops the servers behind the load balancer from being able to
communicate with each other, which provides protection if one of them were
compromised in some way, making it useful for Internet-facing workloads. PVLANs
are a great way to isolate every port from every other with only two VLANs required.
Figure 3.10 PVLAN overview and the three types
Community mode enables multiple hosts in the same community to communicate
with each other. However, each community requires its own second VLAN ID to use
with the shared primary VLAN ID. Finally, hosts in promiscuous mode can
communicate with hosts in isolated or community mode. Promiscuous PVLANs are
useful for servers that are used by all hosts— perhaps they host a software share or