Overview

One of the topics that does not get that much attention, but is available on many different series of switches, is private VLANs. A private VLAN expands on the abilities of a standard VLAN, allowing traffic to be separated at another level allowing the design engineer a number of flexible options. This article provides a short review of what a VLAN is and what it provides. Then, we will review the concepts behind the private VLAN feature and how it can expand on the capabilities of the standard VLAN.

 

What is a VLAN?

The first thing to review is what VLAN means and what it provides. A Virtual Local Area Network, or VLAN, provides the ability to logically separate a LAN the same way that would be possible with multiple physical switches. For example, if an engineer had four different physical switches, each of the switches could be connected to separate departments within a company. Without an interconnection or a routing device, the devices within each department would not be able to send traffic to each other and would typically be put into different subnets. A VLAN takes this ability to separate devices, but does it logically instead of physically; a separate VLAN can be created for each department and the physical ports that connect these devices can be configured into the correct VLAN. It is important to keep in mind however that the same rules apply to VLANs as physical LANs; that is in order to communicate between them a routing device is required and separate subnets should be assigned to the devices in each VLAN.

 

Private VLANs: Extending the abilities of a VLAN

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

A visual representation is shown in Figure 1 below:

 

Why Use a Private VLAN?

The next question really is why would an engineer want to implement the private VLAN feature? This section goes over a few possibilities.

What if an Internet Service Provider (ISP) had a limited number of subnet space and wanted to maximize it by assigning all of the customers in a geographic area into the same IP subnet. Of course, most customers do not want other people seeing their layer 2 switched traffic, as it opens up potential security issues. Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN; their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

What if a company existed in the same geographic area and had multiple offices with multiple Internet connections? It is possible with community VLANs to connect all of these Internet connections together so that each would be able to talk directly to each other as well as go out and utilize the same Internet connection.

These are some very simple examples but they do show that the functionality of private VLANs can be useful to any design engineer looking for a solution to a specific set of design requirements.

 

Summary

The private VLAN feature can certainly be a useful tool in the belt of any engineer looking to solve a design problem with a certain set of requirements. It is important to take a look over all of the available options when designing or modifying a network to see if there is a better way of solving a problem that would work better under specific circumstances; the private VLAN feature certainly has some interesting traits that can be very useful to any engineer. Hopefully the content in this article has made the concept of private VLANs easier to understand.