Private VLAN

Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called private ports. Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port connected to a router, firewall, server, provider network, or similar central resource.
The concept was primarily introduced as a result of the limitation on the number of VLANs in network switches, a limit quickly exhausted in highly scaled scenarios. Hence, there was a requirement to create multiple network segregations with a minimum number of VLANs.
The switch forwards all frames received from a private port to the uplink port, regardless of VLAN ID or destination MAC address. Frames received from an uplink port are forwarded in the normal way. As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink. While private VLANs provide isolation between peers at the data link layer, communication at higher layers may still be possible depending on further network configuration.
A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increase the potential for damage due to misconfiguration.
Another application of private VLANs is to simplify IP address assignment. Ports can be isolated from each other at the data link layer, while belonging to the same IP subnet. In such a case, direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

VLAN Trunking Protocol

Version 3

Version 3 of VLAN Trunking Protocol saw support added for private VLANs.

version 1 and 2

If using version 1 and 2, the switch must be in VTP .
VTP v1 and 2 do not propagate private-VLAN configuration, so the administrator needs to configure it one by one.

Limitations of Private VLANs

Private VLANs have no support for:

Dynamic-access port VLAN membership.
Dynamic Trunking Protocol
Port Aggregation Protocol
Link Aggregation Control Protocol
Multicast VLAN Registration
Voice VLAN
Web Cache Communication Protocol
Ethernet ring protection
Flexible VLAN tagging
Egress VLAN firewall filters
Integrated routing and bridging interface
Multichassis link aggregation groups
Q-in-Q tunneling
Routing between sub-VLANs and Primary VLAN
Juniper, does not support IGMP snooping

Configuration limitations

An access interface cannot participate in two different primary VLANs, limited to one private VLAN.
Spanning Tree Protocol settings.
Cannot be configured on VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. As they are special VLANs.

Cisco implementation

Cisco Systems' Private VLANs have the advantage that they can function across multiple switches. A Private VLAN divides a VLAN into sub-VLANs while keeping existing IP subnet and layer 3 configuration. A regular VLAN is a single broadcast domain, while private VLAN partitions one broadcast domain into multiple smaller broadcast subdomains.Primary VLAN: Simply the original VLAN. This type of VLAN is used to forward frames downstream to all Secondary VLANs.Secondary VLAN: Secondary VLAN is configured with one of the following types:

* Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. There can be multiple Isolated VLANs in one Private VLAN domain ; the ports remain isolated from each other within each VLAN.
* Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain.

There are mainly two types of ports in a Private VLAN: Promiscuous port and Host port. Host port further divides in two types – Isolated port and Community port.Promiscuous port : The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.Host Ports:

* Isolated Port : Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
* Community Port : Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.

Example scenario: a switch with VLAN 100, converted into a Private VLAN with one P-Port, two I-Ports in Isolated VLAN 101 and two community VLANs 102 and 103, with 2 ports in each. The switch has one uplink port, connected to another switch. The diagram shows this configuration graphically.
The following table shows the traffic which can flow between all these ports.

	I-Port	P-Port	C1-Port	C2-Port	Uplink to Switch2
I-Port	Deny	Permit	Deny	Deny	Permit/Deny
P-Port	Permit	Permit	Permit	Permit	Permit
C1-Port	Deny	Permit	Permit	Deny	Permit
C2-Port	Deny	Permit	Deny	Permit	Permit
Uplink to Switch2	Permit/Deny	Permit	Permit	Permit	Permit

Traffic from an Uplink port to an Isolated port will be denied if it is in the Isolated VLAN. Traffic from an Uplink port to an isolated port will be permitted if it is in the primary VLAN.

Use cases

Network segregation

Private VLANs are used for network segregation when:

Moving from a flat network to a segregated network without changing the IP addressing of the hosts. A firewall can replace a router, and then hosts can be slowly moved to their secondary VLAN assignment without changing their IP addresses.
There is a need for a firewall with many tens, hundreds or even thousands interfaces. Using Private VLANs the firewall can have only one interface for all the segregated networks.
There is a need to preserve IP addressing. With Private VLANs, all Secondary VLANs can share the same IP subnet.
Overcome license fees for number of supported VLANs per firewall.
There is a need for more than 4095 segregated networks. With Isolated VLAN, there can be endless number of segregated networks.

Secure hosting

Private VLANs in hosting operation allows segregation between customers with the following benefits:

No need for separate IP subnet for each customer.
Using Isolated VLAN, there is no limit on the number of customers.
No need to change firewall's interface configuration to extend the number of configured VLANs.

Secure VDI

An Isolated VLAN can be used to segregate VDI desktops from each other, allowing filtering and inspection of desktop to desktop communication. Using non-isolated VLANs would require a different VLAN and subnet for each VDI desktop.

Backup network

On a backup network, there is no need for hosts to reach each other. Hosts should only reach their backup destination. Backup clients can be placed in one Isolated VLAN and the backup servers can be placed as promiscuous on the Primary VLAN, this will allow hosts to communicate only with the backup servers.

Broadcast mitigation

Because broadcast traffic on a network must be sent to each wireless host serially, it can consume large shares of air time, making the wireless network unresponsive. Where there is more than one wireless access point connected to a switch, private VLANs can prevent broadcast frames from propagating from one AP to another, preserving network performance for connected hosts.