Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (orlink aggregation group) connected to a router, firewall, server, provider network, or similar central resource.
The concept was primarily introduced as a result of the limitation on the number of VLANs in network switches, a limit quickly exhausted in highly scaled scenarios. Hence, there was a requirement to create multiple network segregations with a minimum number of VLANs.
The switch forwards all frames received from a private port to the uplink port, regardless of VLAN ID or destination MAC address. Frames received from an uplink port are forwarded in the normal way (i.e. to the port hosting the destination MAC address, or to all ports of the VLAN for broadcast frames or for unknown destination MAC addresses). As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink. While private VLANs provide isolation between peers at the data link layer, communication at higher layers may still be possible depending on further network configuration.
A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSLDSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increase the potential for damage due to misconfiguration.
Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet. In such a case, direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.
Private VLAN Traffic FlowExample of private VLAN port types on the switch
Cisco Systems' Private VLANs have the advantage that they can function across multiple switches.[3] A Private VLAN divides a VLAN (Primary) into sub-VLANs (Secondary) while keeping existing IP subnet and layer 3 configuration. A regular VLAN is a single broadcast domain, while private VLAN partitions one broadcast domain into multiple smaller broadcast subdomains.
Primary VLAN: Simply the original VLAN. This type of VLAN is used to forward frames downstream to all Secondary VLANs.
Secondary VLAN: Secondary VLAN is configured with one of the following types:
Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. There can be multiple Isolated VLANs in one Private VLAN domain (which may be useful if the VLANs need to use distinct paths for security reasons); the ports remain isolated from each other within each VLAN.[4]
Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain.
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).
Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two I-Ports in Isolated VLAN 101 (Secondary) and two community VLANs 102 and 103 (Secondary), with 2 ports in each. The switch has one uplink port (trunk), connected to another switch. The diagram shows this configuration graphically.
The following table shows the traffic which can flow between all these ports.
I-Port
P-Port
C1-Port
C2-Port
Uplink to Switch2
I-Port
Deny
Permit
Deny
Deny
Permit/Deny
P-Port
Permit
Permit
Permit
Permit
Permit
C1-Port
Deny
Permit
Permit
Deny
Permit
C2-Port
Deny
Permit
Deny
Permit
Permit
Uplink to Switch2
Permit/Deny
Permit
Permit
Permit
Permit
Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN.
Private VLANs are used for network segregation when:
Moving from a flat network to a segregated network without changing the IP addressing of the hosts. A firewall can replace a router, and then hosts can be slowly moved to their secondary VLAN assignment without changing their IP addresses.
There is a need for a firewall with many tens, hundreds or even thousands interfaces. Using Private VLANs the firewall can have only one interface for all the segregated networks.
There is a need to preserve IP addressing. With Private VLANs, all Secondary VLANs can share the same IP subnet.
Overcome license fees for number of supported VLANs per firewall.[5]
There is a need for more than 4095 segregated networks. With Isolated VLAN, there can be endless number of segregated networks.[6]
An Isolated VLAN can be used to segregate VDI desktops from each other, allowing filtering and inspection of desktop to desktop communication. Using non-isolated VLANs would require a different VLAN and subnet for each VDI desktop.
On a backup network, there is no need for hosts to reach each other. Hosts should only reach their backup destination. Backup clients can be placed in one Isolated VLAN and the backup servers can be placed as promiscuous on the Primary VLAN, this will allow hosts to communicate only with the backup servers.
Because broadcast traffic on a network must be sent to each wireless host serially, it can consume large shares of air time, making the wireless network unresponsive.[citation needed] Where there is more than one wireless access point connected to a switch, private VLANs can prevent broadcast frames from propagating from one AP to another, preserving network performance for connected hosts.
