A private VLAN is a technique in computer networking where a VLAN contains switch ports that are restricted, such that

they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource. The switch forwards all frames received on a private port out the uplink port, regardless of VLAN ID or destination MAC address. Frames received on an uplink port are forwarded in the normal way (i.e., to the port hosting the destination MAC address, or to all VLAN ports for unknown destinations orbroadcast frames). "Peer-to-peer" traffic is blocked. Note that while private VLANs provide isolation at the data link layer, communication at higher layers may still be possible. A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increasing the potential for damage due to misconfiguration. Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet. In such a case direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

Working[edit]

Private VLAN Traffic Flow

Private VLAN further divides VLAN (Primary) into sub-VLANs (Secondary) in a single IP subnet. A regular VLAN is a single broadcast domain. The private VLAN partitions a large broadcast domain into multiple smaller sub domains. In other words, a Private VLAN is a primary VLAN with a secondary VLAN (sub-VLAN) within a single IP subnet. Primary VLAN: Simply the original VLAN. This type of VLAN is used to forward frames downstream to all Secondary VLANs. Secondary VLAN: Secondary VLAN is configured with one of the following types: Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same

Isolated VLAN cannot reach each other. Only one Isolated VLAN is allowed in one Private VLAN domain. Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain. There are mainly 2 types of port in Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types: Isolated port (I-Port) and Community port (C-port).

Example of private VLAN port types on the switch

Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN. Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports. Community Port(C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.

Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two IPorts in Isolated VLAN 101 (Secondary) and two community VLANs 102 and 103 (Secondary), with 2 ports in each. The switch has one uplink port (trunk), connected to another switch. The diagram shows this configuration graphically. The following table shows the traffic which can flow between all these ports.

I-Port

P-Port C1-Port C2-Port Uplink to Switch2

I-Port

Deny

Permit Deny

Deny

Permit

P-Port

Permit

Permit Permit

Permit

Permit

C1-Port

Deny

Permit Permit

Deny

Permit

C2-Port

Deny

Permit Deny

Permit

Permit

Uplink to Switch2 Permit/Deny Permit Permit

Permit

Permit