Understanding Private VLAN

PRIVATE VLAN:

• Private VLANs (PVLANs) can be implemented to prevent hosts within a VLAN from communicating directly.
• In order to increase security by separating devices into many small VLANs conflicts with the design goal of conserving the use of the available IP subnets. The Cisco private VLAN feature addresses this issue.
• Private VLANs allow a switch to separate ports as if they were on different VLANs, while consuming only a single subnet.
• A common place to implement private VLANs is in the service provider (SP).
• The SP can install a single router and a single switch. Then, the SP attaches devices from multiple customers to the switch. Private VLANs then allow the SP to use only a single subnet for the whole building, separating different customers' switch ports so that they cannot communicate directly, while supporting all customers with a single router and switch.

Primary (regular) VLANs are associated with secondary (private) VLANs.

A secondary VLAN can be one of two types:
• Isolated - Hosts associated with the VLAN can only reach the primary VLAN.
• Community - Hosts can communicate with the primary VLAN and other hosts within the secondary VLAN, but not with other secondary VLANs.

Note: PVLAN information is not communicated by VTP.

PVLAN ports are configured to operate in one of two modes:

• Promiscuous - Port attaches to a router, firewall, etc; can communicate with all hosts ( including isolated and community ports)
• Host - Can only communicate with a promiscuous port, or ports within the same community PVLAN