Fortinet black logo

Administration Guide

Private VLANs

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:104079
Download PDF

Private VLANs

A private VLAN (PVLAN) divides the original VLAN (termed the primary VLAN) into sub-VLANs (secondary VLANs), while retaining the existing IP subnet and layer-3 configuration. Unlike a regular VLAN, which is a single broadcast domain, a PVLAN partitions one broadcast domain into multiple smaller broadcast subdomains.

After a PVLAN VLAN is configured, the primary VLAN forwards frames downstream to all secondary VLANs.

There are two main types of secondary VLANs:

  • Isolated: Any switch ports associated with an isolated VLAN can reach the primary VLAN, but not any other secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. Only one isolated VLAN is allowed in one PVLAN domain.
  • Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. You might have multiple distinct community VLANs within one PVLAN domain.

There are mainly two types of ports in a PVLAN: promiscuous (P-Port) and host.

  • Promiscuous Port (P-Port): The switch port connects to a router, firewall, or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
  • Host Ports further divides into two types – isolated port (I-Port) and community port (C-port).
  • Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
  • Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.

Creating and enabling a PVLAN

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN to create a new PVLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new PVLAN.
  5. Select Enabled to enable the new Private VLAN.
  6. Enter a single VLAN identifier for the isolated subVLAN.
  7. If needed, enter one VLAN identifier or multiple VLAN identifiers for a common community subVLAN.
  8. To save your changes, select Add at the bottom of the page.

Configuring the PVLAN ports

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the port to configure.
  3. Select Edit.
  4. Select if the Private VLAN port is a promiscuous port or part of a sub-VLAN.
  5. For a promiscuous port, select the primary VLAN identifier.
  6. For a port that is part of a sub-VLAN, select the primary VLAN identifier and the sub-VLAN identifier.
  7. Select OK.

Private VLAN example

  1. Enable a PVLAN:

    config switch vlan

    edit 1000

    set private-vlan enable

    set isolated-vlan 101

    set community-vlans 200-210

    end

    end

  2. Configure the PVLAN ports:

    config switch interface

    edit "port2"

    set private-vlan promiscuous

    set primary-vlan 1000

    next

    edit "port3"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 200

    next

    edit "port7"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    next

    edit "port19"

    set private-vlan promiscuous

    set primary-vlan 1000

    next

    edit "port20"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    next

    edit "port21"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    end

    end

Private VLANs

A private VLAN (PVLAN) divides the original VLAN (termed the primary VLAN) into sub-VLANs (secondary VLANs), while retaining the existing IP subnet and layer-3 configuration. Unlike a regular VLAN, which is a single broadcast domain, a PVLAN partitions one broadcast domain into multiple smaller broadcast subdomains.

After a PVLAN VLAN is configured, the primary VLAN forwards frames downstream to all secondary VLANs.

There are two main types of secondary VLANs:

  • Isolated: Any switch ports associated with an isolated VLAN can reach the primary VLAN, but not any other secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. Only one isolated VLAN is allowed in one PVLAN domain.
  • Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. You might have multiple distinct community VLANs within one PVLAN domain.

There are mainly two types of ports in a PVLAN: promiscuous (P-Port) and host.

  • Promiscuous Port (P-Port): The switch port connects to a router, firewall, or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
  • Host Ports further divides into two types – isolated port (I-Port) and community port (C-port).
  • Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
  • Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.

Creating and enabling a PVLAN

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN to create a new PVLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new PVLAN.
  5. Select Enabled to enable the new Private VLAN.
  6. Enter a single VLAN identifier for the isolated subVLAN.
  7. If needed, enter one VLAN identifier or multiple VLAN identifiers for a common community subVLAN.
  8. To save your changes, select Add at the bottom of the page.

Configuring the PVLAN ports

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the port to configure.
  3. Select Edit.
  4. Select if the Private VLAN port is a promiscuous port or part of a sub-VLAN.
  5. For a promiscuous port, select the primary VLAN identifier.
  6. For a port that is part of a sub-VLAN, select the primary VLAN identifier and the sub-VLAN identifier.
  7. Select OK.

Private VLAN example

  1. Enable a PVLAN:

    config switch vlan

    edit 1000

    set private-vlan enable

    set isolated-vlan 101

    set community-vlans 200-210

    end

    end

  2. Configure the PVLAN ports:

    config switch interface

    edit "port2"

    set private-vlan promiscuous

    set primary-vlan 1000

    next

    edit "port3"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 200

    next

    edit "port7"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    next

    edit "port19"

    set private-vlan promiscuous

    set primary-vlan 1000

    next

    edit "port20"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    next

    edit "port21"

    set private-vlan sub-vlan

    set primary-vlan 1000

    set sub-vlan 101

    end

    end