Private VLANs
A private VLAN (PVLAN) divides the original VLAN (termed the primary VLAN) into sub-VLANs (secondary VLANs), while retaining the existing IP subnet and layer-3 configuration. Unlike a regular VLAN, which is a single broadcast domain, a PVLAN partitions one broadcast domain into multiple smaller broadcast subdomains.
After a PVLAN VLAN is configured, the primary VLAN forwards frames downstream to all secondary VLANs.
There are two main types of secondary VLANs:
- Isolated: Any switch ports associated with an isolated VLAN can reach the primary VLAN, but not any other secondary VLAN. In addition, hosts associated with the same isolated VLAN cannot reach each other. Only one isolated VLAN is allowed in one PVLAN domain.
- Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. You might have multiple distinct community VLANs within one PVLAN domain.
There are mainly two types of ports in a PVLAN: promiscuous (P-Port) and host.
- Promiscuous Port (P-Port): The switch port connects to a router, firewall, or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
- Host Ports further divides into two types – isolated port (I-Port) and community port (C-port).
- Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports.
- Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Creating and enabling a PVLAN
Using the GUI:
- Go to Switch > VLAN.
- Select Add VLAN to create a new PVLAN.
- Enter the VLAN identifier.
- Enter a description for the new PVLAN.
- Select Enabled to enable the new Private VLAN.
- Enter a single VLAN identifier for the isolated subVLAN.
- If needed, enter one VLAN identifier or multiple VLAN identifiers for a common community subVLAN.
- To save your changes, select Add at the bottom of the page.
Configuring the PVLAN ports
Using the GUI:
- Go to Switch > Interfaces.
- Select the port to configure.
- Click Edit.
- Select if the Private VLAN port is a promiscuous port or part of a sub-VLAN.
- For a promiscuous port, select the primary VLAN identifier.
- For a port that is part of a sub-VLAN, select the primary VLAN identifier and the sub-VLAN identifier.
- Click Update.
Private VLAN example
- Enable a PVLAN:
config switch vlan
edit 1000
set private-vlan enable
set isolated-vlan 101
set community-vlans 200-210
end
end
- Configure the PVLAN ports:
config switch interface
edit "port2"
set private-vlan promiscuous
set primary-vlan 1000
next
edit "port3"
set private-vlan sub-vlan
set primary-vlan 1000
set sub-vlan 200
next
edit "port7"
set private-vlan sub-vlan
set primary-vlan 1000
set sub-vlan 101
next
edit "port19"
set private-vlan promiscuous
set primary-vlan 1000
next
edit "port20"
set private-vlan sub-vlan
set primary-vlan 1000
set sub-vlan 101
next
edit "port21"
set private-vlan sub-vlan
set primary-vlan 1000
set sub-vlan 101
end
end