Private VLAN

Last updated February 01, 2025

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource.

The switch forwards all frames received from a private port to the uplink port, regardless of VLAN ID or destination MAC address. Frames received from an uplink port are forwarded in the normal way (i.e. to the port hosting the destination MAC address, or to all ports of the VLAN for broadcast frames or for unknown destination MAC addresses). As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink. While private VLANs provide isolation between peers at the data link layer, communication at higher layers may still be possible depending on further network configuration.

A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increase the potential for damage due to misconfiguration.

Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet. In such a case, direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

VLAN Trunking Protocol

Version 3

Version 3 of VLAN Trunking Protocol saw support added for private VLANs.

version 1 and 2

If using version 1 and 2, the switch must be in VTP transparent mode.

VTP v1 and 2 do not propagate private-VLAN configuration, so the administrator needs to configure it one by one.

Limitations of Private VLANs

Private VLANs have no support for:^[1]^[2]

Dynamic-access port VLAN membership.
Dynamic Trunking Protocol (DTP)
Port Aggregation Protocol (PAgP)
Link Aggregation Control Protocol (LACP)
Multicast VLAN Registration (MVR)
Voice VLAN
Web Cache Communication Protocol (WCCP)
Ethernet ring protection (ERP)
Flexible VLAN tagging
Egress VLAN firewall filters
Integrated routing and bridging (IRB) interface
Multichassis link aggregation groups (MC-LAGs)
Q-in-Q tunneling
Routing between sub-VLANs (Secondary) and Primary VLAN
Juniper, does not support IGMP snooping

Configuration limitations

An access interface cannot participate in two different primary VLANs, limited to one private VLAN.
Spanning Tree Protocol (STP) settings.
Cannot be configured on VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. As they are special VLANs.

Cisco implementation

Cisco Systems' Private VLANs have the advantage that they can function across multiple switches.^[3] A Private VLAN divides a VLAN (Primary) into sub-VLANs (Secondary) while keeping existing IP subnet and layer 3 configuration. A regular VLAN is a single broadcast domain, while private VLAN partitions one broadcast domain into multiple smaller broadcast subdomains.

Primary VLAN: Simply the original VLAN. This type of VLAN is used to forward frames downstream to all Secondary VLANs.
Secondary VLAN: Secondary VLAN is configured with one of the following types:
- Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. There can be multiple Isolated VLANs in one Private VLAN domain (which may be useful if the VLANs need to use distinct paths for security reasons); the ports remain isolated from each other within each VLAN.^[4]
- Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain.

There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).

Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
- Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
- Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.

Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two I-Ports in Isolated VLAN 101 (Secondary) and two community VLANs 102 and 103 (Secondary), with 2 ports in each. The switch has one uplink port (trunk), connected to another switch. The diagram shows this configuration graphically.

The following table shows the traffic which can flow between all these ports.

	I-Port	P-Port	C1-Port	C2-Port	Uplink to Switch2
I-Port	Deny	Permit	Deny	Deny	Permit/Deny
P-Port	Permit	Permit	Permit	Permit	Permit
C1-Port	Deny	Permit	Permit	Deny	Permit
C2-Port	Deny	Permit	Deny	Permit	Permit
Uplink to Switch2	Permit/Deny	Permit	Permit	Permit	Permit

Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN.

Use cases

Network segregation

Private VLANs are used for network segregation when:

Moving from a flat network to a segregated network without changing the IP addressing of the hosts. A firewall can replace a router, and then hosts can be slowly moved to their secondary VLAN assignment without changing their IP addresses.
There is a need for a firewall with many tens, hundreds or even thousands interfaces. Using Private VLANs the firewall can have only one interface for all the segregated networks.
There is a need to preserve IP addressing. With Private VLANs, all Secondary VLANs can share the same IP subnet.
Overcome license fees for number of supported VLANs per firewall.^[5]
There is a need for more than 4095 segregated networks. With Isolated VLAN, there can be endless number of segregated networks.^[6]

Secure hosting

Private VLANs in hosting operation allows segregation between customers with the following benefits:

No need for separate IP subnet for each customer.
Using Isolated VLAN, there is no limit on the number of customers.
No need to change firewall's interface configuration to extend the number of configured VLANs.

Secure VDI

An Isolated VLAN can be used to segregate VDI desktops from each other, allowing filtering and inspection of desktop to desktop communication. Using non-isolated VLANs would require a different VLAN and subnet for each VDI desktop.

Backup network

On a backup network, there is no need for hosts to reach each other. Hosts should only reach their backup destination. Backup clients can be placed in one Isolated VLAN and the backup servers can be placed as promiscuous on the Primary VLAN, this will allow hosts to communicate only with the backup servers.

Broadcast mitigation

Because broadcast traffic on a network must be sent to each wireless host serially, it can consume large shares of air time, making the wireless network unresponsive.^{[ citation needed ]} Where there is more than one wireless access point connected to a switch, private VLANs can prevent broadcast frames from propagating from one AP to another, preserving network performance for connected hosts.

Related Research Articles

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g., Ethernet frame.

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. The message is usually sent to the target computer by a program executed on a device connected to the same local area network (LAN). It is also possible to initiate the message from another network by using subnet directed broadcasts or a WoL gateway service. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995. The standard saw quick adoption thereafter through IBM, Intel and others. If the computer being awakened is communicating via Wi-Fi, a supplementary standard called Wake on Wireless LAN (WoWLAN) must be employed. The WoL and WoWLAN standards are often supplemented by vendors to provide protocol-transparent on-demand services, for example in the Apple Bonjour wake-on-demand feature.

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.

Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails.

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. In this context, virtual refers to a physical object recreated and altered by additional logic, within the local area network. Basically, a VLAN behaves like a virtual switch or network link that can share the same physical structure with other VLANs while staying logically separate from them. VLANs work by applying tags to network frames and handling these tags in networking systems, in effect creating the appearance and functionality of network traffic that, while on a single physical network, behaves as if it were split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A multilayer switch (MLS) is a computer networking device that switches on OSI layer 2 like an ordinary network switch and provides extra functions on higher OSI layers. The MLS was invented by engineers at Digital Equipment Corporation.

Cisco Discovery Protocol (CDP) is a proprietary data link layer protocol developed by Cisco Systems in 1994 by Keith McCloghrie and Dino Farinacci. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. CDP can also be used for On-Demand Routing, which is a method of including routing information in CDP announcements so that dynamic routing protocols do not need to be used in simple networks.

The Common Address Redundancy Protocol or CARP is a computer networking protocol which allows multiple hosts on the same local area network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations, CARP can also provide load balancing functionality. CARP provides functionality similar to Virtual Router Redundancy Protocol (VRRP) and to Cisco Systems' Hot Standby Router Protocol (HSRP). It is implemented in several BSD-based operating systems and has been ported to Linux (ucarp).

The Multiple Spanning Tree Protocol (MSTP) and algorithm, provides both simple and full connectivity assigned to any given virtual LAN (VLAN) throughout a bridged local area network. MSTP uses bridge protocol data unit (BPDUs) to exchange information between spanning-tree compatible devices, to prevent loops in each Multiple Spanning Tree instance (MSTI) and in the common and internal spanning tree (CIST), by selecting active and blocked paths. This is done as well as in Spanning Tree Protocol (STP) without the need of manually enabling backup links and getting rid of switching loop danger.

A network bridge is a computer networking device that creates a single, aggregate network from multiple communication networks or network segments. This function is called network bridging. Bridging is distinct from routing. Routing allows multiple networks to communicate independently and yet remain separate, whereas bridging connects two separate networks as if they were a single network. In the OSI model, bridging is performed in the data link layer. If one or more segments of the bridged network are wireless, the device is known as a wireless bridge.

<span class="mw-page-title-main">Router on a stick</span> Router that has a single connection to a network

A router on a stick, also known as a one-armed router, is a router that has a single physical or logical connection to a network. It is a method of inter-VLAN routing where one router is connected to a switch via a single cable. The router has physical connections to the broadcast domains where one or more VLANs require the need for routing between them.

A switch virtual interface (SVI) represents a logical layer-3 interface on a switch.

The Dynamic Trunking Protocol (DTP) is a proprietary link layer protocol developed by Cisco Systems for the purpose of negotiating trunking on a link between two VLAN-aware switches, and for negotiating the type of trunking encapsulation to be used. VLAN trunks formed using DTP may utilize either IEEE 802.1Q or Cisco ISL trunking protocols.

In network routing, the control plane is the part of the router architecture that is concerned with establishing the network topology, or the information in a routing table that defines what to do with incoming packets. Control plane functions, such as participating in routing protocols, run in the architectural control element. In most cases, the routing table contains a list of destination addresses and the outgoing interface or interfaces associated with each. Control plane logic also can identify certain packets to be discarded, as well as preferential treatment of certain packets for which a high quality of service is defined by such mechanisms as differentiated services.

<span class="mw-page-title-main">Dell M1000e</span> Server computer

The Dell blade server products are built around their M1000e enclosure that can hold their server blades, an embedded EqualLogic iSCSI storage area network and I/O modules including Ethernet, Fibre Channel and InfiniBand switches.

RDMA over Converged Ethernet (RoCE) is a network protocol which allows remote direct memory access (RDMA) over an Ethernet network. There are multiple RoCE versions. RoCE v1 is an Ethernet link layer protocol and hence allows communication between any two hosts in the same Ethernet broadcast domain. RoCE v2 is an internet layer protocol which means that RoCE v2 packets can be routed. Although the RoCE protocol benefits from the characteristics of a converged Ethernet network, the protocol can also be used on a traditional or non-converged Ethernet network.

FTOS or Force10 Operating System is the firmware family used on Force10 Ethernet switches. It has a similar functionality as Cisco's NX-OS or Juniper's Junos. FTOS 10 is running on Debian. As part of a re-branding strategy of Dell FTOS will be renamed to Dell Networking Operating System (DNOS) 9.x or above, while the legacy PowerConnect switches will use DNOS 6.x: see the separate article on DNOS.

Dell Networking is the name for the networking portfolio of Dell. In the first half of 2013, Dell started to rebrand their different existing networking product brands to Dell Networking. Dell Networking is the name for the networking equipment that was known as Dell PowerConnect, as well as the Force10 portfolio.

Broadcast, unknown-unicast and multicast traffic is network traffic transmitted using one of three methods of sending data link layer network traffic to a destination of which the sender does not know the network address. This is achieved by sending the network traffic to multiple destinations on an Ethernet network. As a concept related to computer networking, it includes three types of Ethernet modes: broadcast, unicast and multicast Ethernet. BUM traffic refers to that kind of network traffic that will be forwarded to multiple destinations or that cannot be addressed to the intended destination only.

References

↑ "Private VLANs | Junos OS | Juniper Networks". www.juniper.net. Retrieved 2023-11-08.
↑ "Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25)EW - Configuring Private VLANs [Cisco Catalyst 4500 Series Switches]". Cisco. Retrieved 2023-11-08.
↑ S. HomChaudhuri; M. Foschiano (June 2009). Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment. IETF. doi: 10.17487/RFC5517 . RFC 5517.Informational. Independent Submission.
↑ "Configuring Private VLANs". Cisco Systems . Retrieved 2014-08-28.
↑ "Managing Feature Licenses for Cisco ASA Version 9.1".
↑ "PVLAN – A Widely Underutilized Feature".

External links

"Configuring Private VLANs". Catalyst 3750 Switch Software Configuration Guide, 12.2(25)SEE. Cisco Systems . Retrieved 2009-05-26.
"Configuring Private VLAN" TP-Link Configuration Guide.