Professional Documents
Culture Documents
Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN
contains switch ports that are restricted such that they can only communicate with a given uplink. The
restricted ports are called private ports. Each private VLAN typically contains many private ports, and a
single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall,
server, provider network, or similar central resource.
This concept was primarily introduced as the number of network segregation (number of vlans) in a
Network switch are generally restricted to a specific number and all the resources could be used up in
highly scaled scenarios. Hence, there was a requirement to create multiple network segregation with
minimum resources.
The switch forwards all frames received from a private port to the uplink port, regardless of VLAN ID or
destination MAC address. Frames received from an uplink port are forwarded in the normal way (i.e. to the
port hosting the destination MAC address, or to all ports of the VLAN for broadcast frames or for
unknown destination MAC addresses). As a result, direct peer-to-peer traffic between peers through the
switch is blocked, and any such communication must go through the uplink. While private VLANs provide
isolation between peers at the data link layer, communication at higher layers may still be possible
depending on further network configuration.
A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or
apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs.
Allowing direct data link layer communication between customer nodes would expose the local network to
various security attacks, such as ARP spoofing, as well as increasing the potential for damage due to
misconfiguration.
Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each
other at the data link layer (for security, performance, or other reasons), while belonging to the same IP
subnet. In such a case direct communication between the IP hosts on the protected ports is only possible
through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.
Contents
Overview
Use cases
Network segregation
Secure hosting
Secure VDI
Backup network
Vendor support
Hardware switches
Software switches
Other private VLAN–aware products
See also
Related RFCs
References
Notes
Overview
Private VLAN divides a VLAN (Primary) into sub-
VLANs (Secondary) while keeping existing IP subnet
and layer 3 configuration. A regular VLAN is a single
broadcast domain, while private VLAN partitions one
broadcast domain into multiple smaller broadcast
subdomains.
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host
port further divides in two types – Isolated port (I-Port) and Community port (C-port).
Promiscuous port (P-Port): The switch port connects to a router, firewall or other common
gateway device. This port can communicate with anything else connected to the primary or
any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive
frames from any other port on the VLAN.
Host Ports:
Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This
port communicates only with P-Ports.
Community Port (C-Port): Connects to the regular host that resides on community VLAN.
This port communicates with P-Ports and ports on the same community VLAN.
Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two I-Ports
in Isolated VLAN 101 (Secondary) and two community VLANs 102 and 103 (Secondary), with 2 ports in
each. The switch has one uplink port (trunk), connected to another switch. The diagram shows this
configuration graphically.
The following table shows the traffic which can flow between all these ports.
Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an
Uplink port to an isolated port will be permitted if it is in the primary VLAN.
Use cases
Network segregation
Moving from a flat network to a segregated network without changing the IP addressing of
the hosts. A firewall can replace a router, and then hosts can be slowly moved to their
secondary VLAN assignment without changing their IP addresses.
There is a need for a firewall with many tens, hundreds or even thousands interfaces. Using
Private VLANs the firewall can have only one interface for all the segregated networks.
There is a need to preserve IP addressing. With Private VLANs, all Secondary VLANs can
share the same IP subnet.
Overcome license fees for number of supported VLANs per firewall. [2]
There is a need for more than 4095 segregated networks. With Isolated VLAN, there can be
endless number of segregated networks. [3]
Secure hosting
Private VLANs in hosting operation allows segregation between customers with the following benefits:
Secure VDI
An Isolated VLAN can be used to segregate VDI desktops from each other, allowing filtering and
inspection of desktop to desktop communication. Using non-isolated VLANs would require a different
VLAN and subnet for each VDI desktop.
Backup network
On a backup network, there is no need for hosts to reach each other. Hosts should only reach their backup
destination. Backup clients can be placed in one Isolated VLAN and the backup servers can be placed as
promiscuous on the Primary VLAN, this will allow hosts to communicate only with the backup servers.
Vendor support
Hardware switches
Alcatel-Lucent Enterprise (http://enterprise.alcatel-lucent.com/) – OmniSwitch series
Arista Networks (http://www.aristanetworks.com/) – Data Center Switching
Brocade (http://www.brocade.com/) – BigIron, TurboIron and FastIron switches
Cisco Systems (http://www.cisco.com) – Catalyst 2960-XR, 3560 and higher product lines
switches
Extreme Networks (http://www.extremenetworks.com) – XOS based switches
FortiNet (http://www.fortinet.com/) – FortiOS based switches
Juniper Networks (http://www.juniper.net/) – EX switches
Hewlett-Packard Enterprise (http://www.hpe.com/) – Aruba Access Switches 2920 series
and higher product lines switches
Lenovo (http://www.lenovo.com/) – CNOS based switches
MICROSENS (http://www.microsens.com/) – G6 switch family
MikroTik (http://www.mikrotik.com/) – All models (routers/switches) with switch chips since
RouterOS v6.43[4]
TP-Link (http://www.tp-link.com/) – T2600G series, T3700G series
TRENDnet (http://www.trendnet.com/) – many models
Ubiquiti Networks (http://www.ubnt.com/) – EdgeSwitch series, Unifi series
Software switches
Cisco Systems (http://www.cisco.com) – Nexus 1000V
Microsoft (http://www.microsoft.com) – HyperV 2012
Oracle (http://docs.oracle.com/cd/E38405_01/html/E38406/usingpvlans.html) – Oracle VM
Server for SPARC 3.1.1.1
VMware (http://www.vmware.com/products/vsphere/distributed-switch.html) – vDS switch
Related RFCs
RFC 5517 (https://datatracker.ietf.org/doc/html/rfc5517) – Cisco Systems' Private VLANs:
Scalable Security in a Multi-Client Environment
References
"Configuring Private VLANs" (http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/s
oftware/release/12.2_25_see/configuration/guide/swpvlan.html). Catalyst 3750 Switch
Software Configuration Guide, 12.2(25)SEE. Cisco Systems. Retrieved 2009-05-26.
"Configuring Private VLAN" (https://www.tp-link.com/us/configuration-guides/configuring_pri
vate_vlan/?configurationId=18216) TP-Link Configuration Guide.
CCNP BCMSN Official exam certification guide.By-David Hucaby, ISBN 978-1-58720-171-
4,ISBN 1-58720-171-2
Notes
1. "Configuring Private VLANs" (http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nex
us5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html). Cisco
Systems. Retrieved 2014-08-28.
2. "Managing Feature Licenses for Cisco ASA Version 9.1" (http://www.cisco.com/en/US/docs/
security/asa/asa91/license/license_management/license.html).
3. "PVLAN – A Widely Underutilized Feature" (http://vxpertise.net/2012/11/pvlan-a-widely-und
erutilized-feature/).
4. "Manual: Switch Chip Features" (https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Feature
s#Port_isolation). MikroTik. Retrieved 2020-01-06.