Private VLAN (PVLAN) is a technology that divides a VLAN broadcast domain into multiple discrete broadcast subdomains by defining secondary VLANs (community VLANs and an isolated VLAN) inside a primary VLAN, achieving port isolation within a VLAN while sharing a single layer-3 router port and the same IP subnet.
For example, in Figure 1, access-side VLANs are divided into Isolated VLAN and Community VLAN. Community VLAN users can communicate with each other, while Isolated VLAN users are isolated and cannot communicate with each other. However, both Community VLAN users and Isolated VLAN users can access the Primary VLAN where the enterprise servers are located. All of this can be accomplished by deploying PVLAN.
Figure 1. PVLAN Application Diagram
PVLAN has the following characteristics and advantages,
- By deploying PVLANs and configuring isolated VLANs on the access side, it is possible to isolate the traffic of different users in the same VLAN. This improves the network security as well as conserving VLANs.
- As all secondary VLAN users inside a primary VLAN share one IP subnet, PVLAN can be deployed to conserve IP addresses.
PVLAN Concepts and Terminology
PVLAN defines two VLAN types: primary VLAN and secondary VLAN. One pair of PVLAN consists of only one primary VLAN and at least one secondary VLAN. One switch can configure multiple pairs of PVLAN.
Note that, secondary VLANs need to be associated with a primary VLAN to form a pair of PVLAN.
- Primary VLAN
Ports within a primary VLAN are connected to the uplink devices, and the corresponding ports are PVLAN promiscuous ports or promiscuous trunk ports, which are used to transmit traffic from the promiscuous ports to the host ports and to other promiscuous ports.
A pair of PVLAN has only one primary VLAN.
A primary VLAN can be associated with multiple community VLANs and only one isolated VLAN.
- Secondary VLAN
Ports within a secondary VLAN are connected to the hosts or downlink devices, and the corresponding ports are PVLAN host ports or secondary trunk ports, which are used to transmit traffic from hosts to other allowed hosts or to routers.
There are two types of secondary VLANs: Isolated VLAN and Community VLAN.
Secondary VLANs should be configured to associate with a primary VLAN. One secondary VLAN (isolated or community) can be associated with only one primary VLAN.
In the CLI configuration, the configurable values are “isolated” and “community”, but not “secondary”.
- Isolated VLAN
An isolated VLAN is a secondary VLAN, which is used to transmit traffic from the hosts toward the promiscuous ports and the gateway. Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Traffic received from an isolated port is forwarded only to promiscuous ports.
A pair of PVLAN can configure not more than one Isolated VLAN.
- Community VLAN
A community VLAN is a secondary VLAN that transmits upstream traffic from the host ports to the promiscuous port gateways and to other host ports in the same community VLAN. Ports within a community VLAN can communicate with each other and the primary VLAN but cannot communicate with ports in other communities at the Layer 2 level or isolated VLAN.
Users can configure multiple community VLANs in a pair of PVLAN.
PVLAN Port Mode
Ethernet interfaces are classified into four PVLAN types depending on the devices connected to them and the way they process the frames.
Note that, only when configured with the PVLAN port mode, a port can be added into a PVLAN.
- PVLAN Host Port
A PVLAN host port connects to a user device. For host mode ports, make sure that their native VLAN is a secondary VLAN, otherwise the ports won’t be able to forward packets from primary VLAN. One host port can be added into only one secondary VLAN.
Packets sent from this port will be untagged.
- PVLAN Secondary Trunk Port
A PVLAN secondary trunk port is used to connect to the downstream devices. One secondary trunk port can be added into only one secondary VLAN.
Packets sent from this port will be tagged with the secondary VLAN ID.
- PVLAN Promiscuous Port
A PVLAN promiscuous port is used to connect to the uplink devices and are used for communicating with the uplink device. Uplinks are typically ports that connect to routers, firewalls, servers or provider networks.
Promiscuous ports belong to the primary VLAN and can communicate with all PVLAN ports, including the host ports and other promiscuous ports within the same primary VLAN.
A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs.
Make sure that the native VLAN of the promiscuous port is the primary VLAN, otherwise the ports won’t be able to forward packets from secondary VLANs.
Promiscuous port mode applies when there is only one primary VLAN passing through the uplink port, and packets sent from this port will not be tagged.
- PVLAN Promiscuous Trunk Port
A PVLAN promiscuous trunk port is used to connect to the uplink devices and are used for communicating with the uplink devices.
Promiscuous trunk port mode applies when there is only one primary VLAN passing through the uplink port, the difference with the promiscuous port mode is that, the packets sent from the promiscuous trunk port will be tagged with the primary VLAN ID. Other than that, the port behaves just like a promiscuous port.
For promiscuous trunk ports, make sure that their native VLAN is the primary VLAN, otherwise the ports won’t be able to forward packets from the secondary VLAN.
Communication Restriction between PVLAN Ports
PVLANs limit the Layer 2 communication within a pair of Private VLANs, a port defined in a PVLAN cannot communicate with ports in other pairs of PVLANs or normal VLANs.
Table 1 summaries the Layer 2 communication restriction between the PVLAN ports.
Table 1. Layer 2 Communication Restriction of PVLAN
Promiscuous Port Promiscuous Trunk Port
The port within the primary VLAN can communicate with all ports in a pair of PVLAN.
Secondary Trunk Port
Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.
Each isolated VLAN must be bound to a primary VLAN.
Secondary Trunk Port
Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.
Each community VLAN must be bound to a primary VLAN.