Private vlans are a security feature. It is about restricting traffic between servers/hosts within the same vlan. So it is a layer 2 feature. In essence you have 3 type of ports
1) promiscuous - can talk to all ports in the private vlan - typically this is the SVI for the vlan which takes care of the routing.
2) community ports - a group of ports that can talk to each other and the promiscuous port.
3) isolated ports - can only talk to promiscuous port.
This allows you to be very granular in the traffic flows within the vlan.
Dynamic vlans are the ability to assign a switchport into a vlan based on the mac-address of the client. You need a Vlan Membership Policy server for these and there is a large administrative overhead to maintain the list of mac address to vlan mappings. It is a very loose form of security as mac addresses can be spoofed quite easily.
my scenario is like i've 4 buildings within a campus.building 1 is where i'm going to place my core 6500 and rest 3 building ive 200 users each. total 600 user's in these 3 buliding.my aim is to create vlans, like building 2 will be another vlan so incase if the guy from building 2 comes to building 3 then also he should get access, like by maping the username he should go to the vlan group. i'm not clear like how do i start and from where should i start.
in this scenario in each these building ive 10 3560 switches with fibers connecting directly to 6500.
i've active directory in 2003 server, so im planing to map the user names from this server to acs engine 4.1 for max security.
so how can i start with, ive not dome any implementation like this so if you can give some inputs that wil lbe a great thing.