Engineers may design VLANs with many goals in mind. In many cases today, devices end up in the same VLAN just based on the physical locations of the wiring drops. Security is another motivating factor in VLAN design: devices in different VLANs do not overhear each other’s broadcasts. Additionally, the separation of hosts into different VLANs and subnets requires an intervening router or multilayer switch between the subnets, and these types of devices typically provide more robust security features.
Regardless of the design motivations behind grouping devices into VLANs, good design practices typically call for the use of a single IP subnet per VLAN. In some cases, however, the need to increase security by separating devices into many small VLANs conflicts with the design goal of conserving the use of the available IP subnets. The Cisco private VLAN feature addresses this issue. Private VLANs allow a switch to separate ports as if they were on different VLANs, while consuming only a single subnet.
A common place to implement private VLANs is in the multitenant offerings of a service provider (SP). The SP can install a single router and a single switch. Then, the SP attaches devices from multiple customers to the switch. Private VLANs then allow the SP to use only a single subnet for the whole building, separating different customers’ switch ports so that they cannot communicate directly, while supporting all customers with a single router and switch.
Conceptually, a private VLAN includes the following general characterizations of how ports communicate:
Ports that need to communicate with all devices
Ports that need to communicate with each other, and with shared devices, typically routers
Ports that need to communicate only with shared devices
To support each category of allowed communications, a single private VLAN features a primary VLAN and one or more secondary VLANs. The ports in the primary VLAN are promiscuous in that they can send and receive frames with any other port, including ports assigned to secondary VLANs. Commonly accessed devices, such as routers and servers, are placed into the primary VLAN. Other ports, such as customer ports in the SP multitenant model, attach to one of the secondary VLANs.
Secondary VLANs are either community VLANs or isolated VLANs. The engineer picks the type based on whether the device is part of a set of ports that should be allowed to send frames back and forth (community VLAN ports), or whether the device port should not be allowed to talk to any other ports besides those on the primary VLAN (isolated VLAN). Table 2-2 summarizes the behavior of private VLAN communications between ports.
Private VLAN Communications Between Ports
1Community and isolated VLANs are secondary VLANs.
2Promiscuous ports, by definition in the primary VLAN, can talk to all other ports.

Related Posts