4 Steps of Private VLAN Configuration (Back to Basics)

Sometimes network and business requirements in organizations demand Layer 2 traffic isolation between devices connected to the same physical switch while being part of the same Layer 3 segment or VLAN. A solution is to provide one VLAN per device (per customer in service providers). However, this leads to IP address wasting and does not provide any optimization.

In addition, the spanning tree operation can become very difficult and resource intensive while potentially using long access control lists, resulting in increased management complexity. This is where a private VLAN comes in handy to separate a regular VLAN domain into two or more subdomains.

In this article, we will provide the following:

• An overview of private VLANs (or PVLANs),
• how PVLANs can provide isolation between devices on an existing Layer 2 infrastructure without performing any major changes
• define the special types of interfaces and VLANs involved, and
• follow a four-step PVLAN configuration.

Here are some of our other switch-related articles:

• In-Depth Exploration of the Cloud-Native Design of Aruba CX Switches
• Must-Have Port Security: Simple but Efficient Layer 2 Protection

Private VLANs Overview

It is not that rare for network engineers to get requests to restrict Layer 2 traffic communication between two or more devices that belong to the same VLAN. In a situation like that, two different approaches can be used.

• Approach 1: This approach is based on a simple filtering feature called "Protected Port" and restricts communication between switch interfaces configured as protected ports. Although using protected ports does the job, it can be taken advantage of by using a Layer 3 device in what's dubbed a private VLAN proxy attack. In this attack, blocking does not work when traffic from one protected port is forwarded through a Layer 3 device before it reaches another protected port on the same switch.
• Approach 2: This approach uses PVLANs. This is a more advanced solution than the protected port feature and allows Layer 2 isolation between devices within the same VLAN (and IP subnet). Furthermore, it eliminates the need to implement additional VLANs and IP subnets and provides several options to define how traffic can be allowed/denied when it is sent between different switch ports in the same VLAN.

One of the benefits of using PVLANs is having simplified traffic management on the switch while conserving IP address space by not implementing additional VLANs simultaneously.

This is achieved using an existing common IP subnet subdivided into several private VLANs. Also, based on the configured PVLAN port types on the switch interfaces to which hosts are connected, some communications will be allowed, while others denied.

_________________

Hardware Options For You

We make it easy for you to find the right switches for your network. Click below for hardware options or reach out to us and share the project you are currently working on.

Explore Hardware Options

_________________

The Different Port Types in PVLANs

To better understand the concept of PVLANs, you need to get familiar with the different PVLAN port types that can be used. A corresponding action applies to traffic communications based on the configured port type on the interface. A port in a PVLAN can be configured in one of the supported types:

• Isolated: This is an access port assigned to an isolated secondary VLAN. As you can see in the image below, the isolated port has a complete Layer 2 isolation from all other ports within the same primary VLAN, except the promiscuous ports.
  
  As a result, all traffic going to an isolated port but not from a promiscuous port will get blocked. On the other hand, traffic sent by an isolated port can only be forwarded to a promiscuous port. Interfaces Fa0/6 and Fa0/7 are configured as isolated ports.
  
  
• Community: This is an access port assigned to a community secondary VLAN. Community ports can communicate within the same community VLAN and promiscuous ports on the switch.
  
  However, community ports in one community VLAN cannot communicate with community ports in another community VLAN or with isolated ports from the isolated VLAN. Interfaces Fa0/2, Fa0/3, Fa0/4, and Fa0/5 are configured as community ports in community VLANs 101 and 102, respectively.
  
  
• Promiscuous: This is an access port assigned to the primary VLAN. A promiscuous port can communicate with all ports within the PVLAN, including isolated, community, and possibly other promiscuous ports.
  
  Because the promiscuous port serves as a path toward the default gateway for the rest of the ports, it typically connects to a router or a firewall. Interface Fa0/1 is configured as a promiscuous port. Remember that a promiscuous port can serve only one primary VLAN or one isolated VLAN and one or more community VLANs. You can have more than one promiscuous port on the switch.

The Meaning of Private VLAN Types

The concept of PVLANs allows two types of VLANs to be implemented, primary and secondary VLANs. In a single PVLAN implementation, only one primary VLAN is divided into one or more secondary VLANs.

Each of those secondary VLANs can be an isolated or a community VLAN. In a PVLAN domain, you can configure only one isolated VLAN and multiple community VLANs. As shown in the past image, VLAN 50 is defined as the primary VLAN, VLANs 101 and 102 as community VLANs, while VLAN 201 is an isolated VLAN.

The VLANs in PVLAN implementation can be deployed in three different types:

• As a primary VLAN: This is the main VLAN under which the secondary VLANs belong. It transfers traffic from promiscuous ports to isolated, community, and other promiscuous ports within the borders of the primary VLAN.
• As a community VLAN: This is a secondary VLAN that transfers traffic between the community ports of the same community VLAN and promiscuous ports.
• As an isolated VLAN: This is a secondary VLAN that transfers traffic between the isolated and promiscuous ports.

802.1Q trunking can extend the primary, community, and isolated VLANs across multiple devices if they all support PVLANs.

If you find this content useful, subscribe to our mailing list and comment your feedback below. Need information or configuration instructions for a specific OEM switch? Let us know!

4-Step PVLAN Configuration

For the PVLAN configuration, we will use the same topology from the past image. The goal is for both the Sales (VLAN 101) and HR (VLAN 102) departments in the company to communicate only internally and to the internet, but not to each other or the FTP and TFTP servers in VLAN 201.

Furthermore, the servers should not be allowed to communicate with each other because of security reasons or to the Sales and HR departments, but only to the internet and IT department (upload and download traffic from IT) that is reachable over the promiscuous port connecting to the router.

Step 1:

Set the switch into VTP transparent mode, a requirement for implementing PVLANs.

Step 2:

Configure VLANs 101, 102, and 201 and identify them as community and isolated VLANs, respectively. View the commands below.

Step 3:

After you define the VLANs, you need to configure the interfaces into the appropriate PVLAN port types. For defining a port as promiscuous, you use the "promiscuous" keyword, while both the community and isolated ports are defined by using the same keyword, "host." Based on the secondary VLAN association, the ports will become either community or isolated.

Step 4:

Finally, the promiscuous port should be mapped to all secondary VLANs because traffic will flow from and to those VLANs. View the commands below.

The Verdict

Once the requirements are known, PVLAN implementation can easily be deployed on a switch. The best part is that besides the logical boundaries and traffic permissions in place, all devices connected to the switch ports continue to belong to the same IP subnet in the end, without adding new VLANs or IP readdressing. Moreover, PVLAN enables greater scalability due to a higher number of Layer 2 isolation networks than regular VLANs.

If scalability is a priority, ensure your network can handle future upgrades by utilizing EXTEND | SmartHands. Gain access to engineers around the globe to access your infrastructure locally without ever leaving your desk.  They take on a range of responsibilities to extend your IT team, without the added overhead of hiring a full-time engineer.