Ethernet: Private VLANs

Security is a major factor in the segmentation of LANs into multiple VLANs.  Devices in different VLANs do no overhear broadcasts and other communication with hosts that communicate on diffferent VLANs.

sometimes the design goal of conserving the use of available IP subnets and the n eed to increase security by seperating devices into many small VLANs conflicts.  the Private VLAN feature addresses this issue.

Private VLANs allow a switch to separate ports as if they were on different VLANs, all while consuming only a single subnet on the network.

A common implementation of this would be used for multitennant offerings for a service provider, a single router and switch are installed in a multitenant location and a single subnet can be segmented across multiple private VLANs so they cannot communicate directly with one another.

Conceptually Private VLANs are partitions of a given VLAN into an arbitrary number of non-overlapping sub-VLANs, or secondary VLANs.  This partitioning is invisible to the outside world which only still has visibility of the primary VLAN.  Secondary VLANs will still use this primary VLAN to communicate to the outside world however internally all secondary VLANs will be on different and unique VLAN IDs.


Secondary VLANs have two types: community VLANs and isolated VLANs.

Ports assigned to the same community VLAN can communicate between each other directly but cannot communicate with any other VLAN.

Ports assigned to an isolated VLAN can neither communicate with each other or with any hosts on any other VLAN.  This would necessitate only a single VLAN for isolated use, since multiple VLANs for isolated use would make no sense.

A primary VLAN can be associated with zero or more community VLANs and with only one isolated VLAN.  A secondary VLAN can only be associated with exactly one primary VLAN.

A Promiscuous port is not associated with any particular secondary VLAN, instead it is associated to a corresponding primary VLAN itself.  A device connected to a promiscuous port can communicate with all devices in all secondary VLANs associated with the primary VLAN and vice versa.

There are two common misconceptions with Private VLANs and trunks.  The first relates to tagging, its incorrectly believed that VLANs use double  tags on trunk ports including the private vlan and primary vlan tag.  That is not the case, instead private VLANs are associated to primary VLANs and are tagged with their private VLAN as they pass through the trunk.

the second misconception relates to trunk port types, there are actually two special types of trunk ports with respect to Private VLANS.  They are Promiscuous VLAN Trunk (PVLAN) and Isolated PVLAN trunks.

These types of trunks usage are limited to specific scenarios.

The promiscuous VLANtrunk port rewrites the secondary VLAN ID into the primary PVLAN ID upon sending a frame.  when a frame is received no tag manipulation is performed.  Also no tag manipulation is performed for frames in ordinary VLANs.


The second type of trunk is the Isolated PVLAN trunk, this trunk type rewrites the primary VLAN ID into the isolated secondary VLAN ID upon sending a frame.  When a frame is received, no tag manipulation is performed, also no tag manipulation is performed for frames in ordinary VLANS.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s