Private VLANs

A Private VLAN is a security feature that separates a regular VLAN domain into two or more subdomains. Each subdomain is represented by a primary VLAN and a secondary VLAN. The primary VLAN ID is the same for all subdomains that belong to a private VLAN. The secondary VLAN ID differentiates subdomains from each another and provides Layer 2 isolation between ports that are members of the same private VLAN.

Private VLANs are typically implemented in the network’s DMZ to protect network servers and other resources. Servers should not communicate with each other; however, the servers must communicate with a router in order to be accessed by network users. When using private VLANs, the servers are connected to the private VLAN host ports, and the routers connect to promiscuous ports. Then, if one of the servers is compromised, the intruder cannot use it to attack another server in the same network segment.

The same traffic isolation can be achieved by configuring each port with a different VLAN, allocating an IP subnet for each VLAN, and enabling L3 routing between them. However, the subnet-based VLAN approach requires more VLANs and IP subnets as well as L3 routing configuration. In a private VLAN domain, all members can share a common address space of a single subnet which is associated with a primary VLAN. So, the advantage of the private VLANs feature is that it reduces the number of consumed VLANs, improves IP addressing space utilization, and helps to avoid L3 routing.

There are the following types of VLANs within a private VLAN:

Primary VLAN - Forwards the traffic from the promiscuous ports to isolated ports, community ports and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN. All ports within a private VLAN share the same primary VLAN.
Isolated VLAN - A secondary VLAN that carries traffic from isolated ports to promiscuous ports. Only one isolated VLAN can be configured per private VLAN.
Community VLAN - A secondary VLAN that forwards traffic between ports which belong to the same community and to the promiscuous ports. There can be multiple community VLANs per private VLAN.

Three types of port designations exist within a private VLAN:

Promiscuous port - A primary VLAN member that can communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports and isolated ports.
Host port - A secondary VLAN member that, depending on the type of secondary VLAN, can either communicate with other ports in the same community (if the secondary VLAN is a community VLAN) and with the promiscuous ports, or is able to communicate only with the promiscuous ports (if the secondary VLAN is an isolated VLAN)
Isolated port - A secondary VLAN member that can communicate only with promiscuous ports. Endpoints connected to adjacent isolated ports cannot communicate with each other.

Private VLAN Type Configuration

Use the Private VLAN Type Configuration page to configure an existing VLAN as a Primary, Isolated, or Community VLAN. To access the Private VLAN Type Configuration page, click Switching > Private VLAN > Type Configuration in the navigation menu. By default, the type for all VLANs is Unconfigured.

Private VLAN Type Configuration

Field	Description
VLAN ID	Identifies the VLAN ID of the VLAN configured on the switch.
Private VLAN Type	Select the type of private VLAN: Primary - Sets Private VLAN as Primary Type Isolated - Sets Private VLAN as Isolated Type Community - Sets Private VLAN as Isolated Type Unconfigured - Sets the VLAN as non Private VLAN

Field

Description

VLAN ID

Identifies the VLAN ID of the VLAN configured on the switch.

Private VLAN Type

Select the type of private VLAN:

Primary - Sets Private VLAN as Primary Type
Isolated - Sets Private VLAN as Isolated Type
Community - Sets Private VLAN as Isolated Type
Unconfigured - Sets the VLAN as non Private VLAN

Private VLAN Association Configuration

Use the Private VLAN Association Configuration page to associate Isolated and Community VLANs with a Primary VLAN. To access the Private VLAN Association Configuration page, click Switching > Private VLAN > Association Configuration in the navigation menu.

Private VLAN Association Configuration

Field	Description
Primary VLAN	Select the VLAN to use as the Primary VLAN ID of the domain. This VLAN is used to associate Secondary (Community and Isolated) VLANs to a domain.
Isolated VLAN	Shows the ID of the VLAN associated to the domain as the Isolated VLAN.
Community VLAN(s)	Displays the current Community VLAN IDs associated to the domain (through Primary VLAN). This field displays all the VLANs of type Secondary.

If you change any information on the page, click Submit to apply the changes to the system.

Private VLAN Association Summary

Use the Private VLAN Association Summary page to view associations between primary, Isolated, and Community VLANs. To access the Private VLAN Association Summary page, click Switching > Private VLAN > Association Summary in the navigation menu.

Private VLAN Association Summary

Field	Description
Primary VLAN	Shows the VLAN that is the Primary VLAN ID of the domain.
Isolated VLAN	Shows the ID of the VLAN associated to the domain as the Isolated VLAN.
Community VLAN	Shows the IDs of the community VLANs associated to the domain through the primary VLAN. This field displays all the VLANs of type Secondary.

Private VLAN Interface Configuration

Use the Private VLAN Interface Configuration page to configure the private VLAN mode for ports. To access the Private VLAN Interface Configuration page, click Switching > Private VLAN > Interface Configuration in the navigation menu.

Private VLAN Interface Configuration

Field	Description
Interface	Select the port to configure.
Switch Port Mode	Select the private VLAN mode for the selected port, which can be one of the following: General - Sets port in General Mode Host - Sets port in Host Mode. Used for Private VLAN configuration Promiscuous - Sets port in Promiscuous Mode Used for Private VLAN configuration
Host Primary VLAN	Specify the primary VLAN ID for Host Association Mode.
Host Secondary VLAN	Specify the secondary VLAN ID for Host Association Mode.
Promiscuous Primary VLAN	Specify the primary VLAN ID for Promiscuous Association Mode.
Promiscuous Secondary VLAN ID(s)	Specify the secondary VLAN ID List for Promiscuous Association Mode. This field can accept a single VLAN ID or range of VLAN IDs, or a combination of both in sequence separated by ','. NOTE: The VLAN ID List specified in this field will replace the configured Secondary VLAN list in the association.

Command Buttons

Submit - Update the switch with the values on the screen. If you want the switch to retain the new values across a power cycle you must perform a save.
Delete Host Association - Deletes the Host VLAN association for the selected interface.
Delete Promiscuous Association - Deletes the Promiscuous VLAN association for the selected interface.
Refresh - Refresh the data on the screen with the present state of the data in the switch.

Private VLAN Interface Association Summary

Use the Private VLAN Interface Association Summary page to view associations between the private VLAN IDs and the ports. To access the Private VLAN Interface Association Summary page, click Switching > Private VLAN > Interface Association Summary in the navigation menu.

Private VLAN Interface Association Summary

Field	Description
Interface	Identifies the port.
Switch Port Mode	Shows the private VLAN mode for the port, which can be one of the following: General - Sets port in General Mode. Host - Sets port in Host Mode. Used for Private VLAN configuration. Promiscuous - Sets port in Promiscuous Mode. Used for Private VLAN configuration.
Host Primary VLAN	Shows the primary VLAN ID for Host Association Mode
Host Secondary VLAN	Shows the secondary VLAN ID for Host Association Mode.
Promiscuous Primary VLAN	Shows the primary VLAN ID for Promiscuous Association Mode.
Promiscuous Secondary VLAN ID(s)	Shows the secondary VLAN ID List for Promiscuous Association Mode.

Click Refresh to update the page with the most recent information from the system.