CONCEPT OF PRIVATE VLAN

To understand the notion of “Private VLAN”, we need to know how VLAN works – All the devices in a VLAN can hear the broadcast sent by any of the device in the same segment – Hence VLAN has a single broadcast domain. However Private VLANs split the single Broadcast domain further  into multiple isolated broadcast subdomainsVLANs usually correspond to a single IP subnet. When we split VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, but they need to use another L3 device (Router or Layer 3 Switch) to talk to each other.

Private VLAN divides a VLAN into sub-VLANs. It uses below approach  to meet the objective of segregating single VLAN into multiple smaller broadcast subdomains –


(a) Primary VLAN – This type of VLAN is used to forward frames downstream to all Secondary VLANs.(b) Secondary VLAN – Secondary VLAN can be any one of the two – (b.1) Isolated (b.2) Community

(b.1) Isolated – In Isolated VLAN, If any port is part of Isolated VLAN, it can reach the primary VLAN, but not any other Secondary VLAN (Isolated or Community) i.e. hosts associated with the same Isolated VLAN cannot even reach each other. There can be multiple Isolated VLANs in one Private VLAN domain (which may be useful if the VLANs need to use distinct paths for security reasons).

(b) Community – Switch ports part of community VLAN can communicate with each other in same community and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain. 

 

There are two types of ports in a Private VLAN – (a) Promiscuous port (b) Host port. Host port further divides in two types – (b.1) Isolated port and (b.2) Community port.

(a) Promiscuous port – The switch port connects to a Layer 3 device like router and firewall. Promiscous port can communicate with anything else connected to the primary or any secondary VLAN (Isolated port or community)(b) Host Ports –

(b.1) Isolated Port – This port is part of isolated VLAN. This port communicates only with Promiscuous ports.

(b.2) Community Port – This port is part of of community VLAN. This port communicates with Promiscuous Ports and ports on the same community VLAN. 

 

Below diagram gives more detailed on which communication is allowed and which are disallowed in a Private Vlan environment across various ports in promiscuous , Community and Isolated Vlans.

 concept-of-private-vlan

 

 

 

Please follow and like us:
error

Related Posts

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar

Checkout : E-STORE for latest releases "CEH Interview Q&A " Dismiss