Private VLAN

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN
contains switch ports that are restricted such that they can only communicate with a given uplink. The
restricted ports are called private ports. Each private VLAN typically contains many private ports, and a
single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall,
server, provider network, or similar central resource.

This concept was primarily introduced as the number of network segregation (number of vlans) in a
Network switch are generally restricted to a specific number and all the resources could be used up in
highly scaled scenarios. Hence, there was a requirement to create multiple network segregation with
minimum resources.

The switch forwards all frames received from a private port to the uplink port, regardless of VLAN ID or
destination MAC address. Frames received from an uplink port are forwarded in the normal way (i.e. to the
port hosting the destination MAC address, or to all ports of the VLAN for broadcast frames or for
unknown destination MAC addresses). As a result, direct peer-to-peer traffic between peers through the
switch is blocked, and any such communication must go through the uplink. While private VLANs provide
isolation between peers at the data link layer, communication at higher layers may still be possible
depending on further network configuration.

A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or
apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs.
Allowing direct data link layer communication between customer nodes would expose the local network to
various security attacks, such as ARP spoofing, as well as increasing the potential for damage due to
misconfiguration.

Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each
other at the data link layer (for security, performance, or other reasons), while belonging to the same IP
subnet. In such a case direct communication between the IP hosts on the protected ports is only possible
through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

Contents
Overview
Use cases
Network segregation
Secure hosting
Secure VDI
Backup network
Vendor support
Hardware switches
Software switches
Other private VLAN–aware products
See also
Related RFCs
References
Notes

Overview
Private VLAN divides a VLAN (Primary) into sub-
VLANs (Secondary) while keeping existing IP subnet
and layer 3 configuration. A regular VLAN is a single
broadcast domain, while private VLAN partitions one
broadcast domain into multiple smaller broadcast
subdomains.

Primary VLAN: Simply the original VLAN.

This type of VLAN is used to forward frames Private VLAN Traffic Flow
downstream to all Secondary VLANs.
Secondary VLAN: Secondary VLAN is
configured with one of the following types:
Isolated: Any switch ports associated with
an Isolated VLAN can reach the primary
VLAN, but not any other Secondary
VLAN. In addition, hosts associated with
the same Isolated VLAN cannot reach
each other. There can be multiple
Isolated VLANs in one Private VLAN
domain (which may be useful if the
VLANs need to use distinct paths for
security reasons); the ports remain Example of private VLAN port types on the switch
isolated from each other within each
VLAN.[1]
Community: Any switch ports associated with a common community VLAN can
communicate with each other and with the primary VLAN but not with any other
secondary VLAN. There can be multiple distinct community VLANs within one Private
VLAN domain.

There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host
port further divides in two types – Isolated port (I-Port) and Community port (C-port).

Promiscuous port (P-Port): The switch port connects to a router, firewall or other common
gateway device. This port can communicate with anything else connected to the primary or
any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive
frames from any other port on the VLAN.
Host Ports:
Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This
port communicates only with P-Ports.
Community Port (C-Port): Connects to the regular host that resides on community VLAN.
This port communicates with P-Ports and ports on the same community VLAN.
Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two I-Ports
in Isolated VLAN 101 (Secondary) and two community VLANs 102 and 103 (Secondary), with 2 ports in
each. The switch has one uplink port (trunk), connected to another switch. The diagram shows this
configuration graphically.

The following table shows the traffic which can flow between all these ports.

I-Port P-Port C1-Port C2-Port Uplink to Switch2

I-Port Deny Permit Deny Deny Permit/Deny
P-Port Permit Permit Permit Permit Permit
C1-Port Deny Permit Permit Deny Permit
C2-Port Deny Permit Deny Permit Permit
Uplink to Switch2 Permit/Deny Permit Permit Permit Permit

Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an
Uplink port to an isolated port will be permitted if it is in the primary VLAN.

Use cases

Network segregation

Private VLANs are used for network segregation when:

Moving from a flat network to a segregated network without changing the IP addressing of
the hosts. A firewall can replace a router, and then hosts can be slowly moved to their
secondary VLAN assignment without changing their IP addresses.
There is a need for a firewall with many tens, hundreds or even thousands interfaces. Using
Private VLANs the firewall can have only one interface for all the segregated networks.
There is a need to preserve IP addressing. With Private VLANs, all Secondary VLANs can
share the same IP subnet.
Overcome license fees for number of supported VLANs per firewall. [2]
There is a need for more than 4095 segregated networks. With Isolated VLAN, there can be
endless number of segregated networks. [3]

Secure hosting

Private VLANs in hosting operation allows segregation between customers with the following benefits:

No need for separate IP subnet for each customer.

Using Isolated VLAN, there is no limit on the number of customers.
No need to change firewall's interface configuration to extend the number of configured
VLANs.

Secure VDI
An Isolated VLAN can be used to segregate VDI desktops from each other, allowing filtering and
inspection of desktop to desktop communication. Using non-isolated VLANs would require a different
VLAN and subnet for each VDI desktop.

Backup network

On a backup network, there is no need for hosts to reach each other. Hosts should only reach their backup
destination. Backup clients can be placed in one Isolated VLAN and the backup servers can be placed as
promiscuous on the Primary VLAN, this will allow hosts to communicate only with the backup servers.

Vendor support

Hardware switches
Alcatel-Lucent Enterprise (http://enterprise.alcatel-lucent.com/) – OmniSwitch series
Arista Networks (http://www.aristanetworks.com/) – Data Center Switching
Brocade (http://www.brocade.com/) – BigIron, TurboIron and FastIron switches
Cisco Systems (http://www.cisco.com) – Catalyst 2960-XR, 3560 and higher product lines
switches
Extreme Networks (http://www.extremenetworks.com) – XOS based switches
FortiNet (http://www.fortinet.com/) – FortiOS based switches
Juniper Networks (http://www.juniper.net/) – EX switches
Hewlett-Packard Enterprise (http://www.hpe.com/) – Aruba Access Switches 2920 series
and higher product lines switches
Lenovo (http://www.lenovo.com/) – CNOS based switches
MICROSENS (http://www.microsens.com/)  – G6 switch family
MikroTik (http://www.mikrotik.com/)  – All models (routers/switches) with switch chips since
RouterOS v6.43[4]
TP-Link (http://www.tp-link.com/)  – T2600G series, T3700G series
TRENDnet (http://www.trendnet.com/)  – many models
Ubiquiti Networks (http://www.ubnt.com/)  – EdgeSwitch series, Unifi series

Software switches
Cisco Systems (http://www.cisco.com) – Nexus 1000V
Microsoft (http://www.microsoft.com) – HyperV 2012
Oracle (http://docs.oracle.com/cd/E38405_01/html/E38406/usingpvlans.html) – Oracle VM
Server for SPARC 3.1.1.1
VMware (http://www.vmware.com/products/vsphere/distributed-switch.html) – vDS switch

Other private VLAN–aware products

Cisco Systems (http://www.cisco.com/c/en/us/products/interfaces-modules/catalyst-6500-ser
ies-firewall-services-module) – Firewall Services Module
Marathon Networks (http://pvtd.marathon-networks.com/PVTD/) – PVTD Private VLAN
deployment and operation appliance
See also
Ethernet
Broadcast domain
VLAN hopping

Related RFCs
RFC 5517 (https://datatracker.ietf.org/doc/html/rfc5517) – Cisco Systems' Private VLANs:
Scalable Security in a Multi-Client Environment

References
"Configuring Private VLANs" (http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/s
oftware/release/12.2_25_see/configuration/guide/swpvlan.html). Catalyst 3750 Switch
Software Configuration Guide, 12.2(25)SEE. Cisco Systems. Retrieved 2009-05-26.
"Configuring Private VLAN" (https://www.tp-link.com/us/configuration-guides/configuring_pri
vate_vlan/?configurationId=18216) TP-Link Configuration Guide.
CCNP BCMSN Official exam certification guide.By-David Hucaby, ISBN 978-1-58720-171-
4,ISBN 1-58720-171-2

Notes
1. "Configuring Private VLANs" (http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nex
us5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html). Cisco
Systems. Retrieved 2014-08-28.
2. "Managing Feature Licenses for Cisco ASA Version 9.1" (http://www.cisco.com/en/US/docs/
security/asa/asa91/license/license_management/license.html).
3. "PVLAN – A Widely Underutilized Feature" (http://vxpertise.net/2012/11/pvlan-a-widely-und
erutilized-feature/).
4. "Manual: Switch Chip Features" (https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Feature
s#Port_isolation). MikroTik. Retrieved 2020-01-06.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Private_VLAN&oldid=1061262146"

This page was last edited on 20 December 2021, at 17:31 (UTC).

Text is available under the Creative Commons Attribution-ShareAlike License 3.0;

additional terms may apply. By
using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the
Wikimedia Foundation, Inc., a non-profit organization.