PVLAN introduction

A PVLAN (private VLAN) is an extension of a regular VLAN to help restrict traffic between users on the same VLAN.

The "private" in private VLAN refers to the restriction of the switch ports in the VLAN, called "private ports." Ports in a PVLAN can communicate only with a specified uplink port and with specified ports within the same VLAN.

A PVLAN consists of a regular VLAN that is partitioned into primary and secondary VLANs. The partitioned regular VLAN becomes the primary VLAN. Secondary VLANs are associated with the primary VLAN, have unique VLAN IDs, and have different types—isolated and community—that determine how and to where packets can be forwarded.

Private VLANs and regular VLANs can coexist on the same switch.

Typical uses for PVLANs include the following:

  • Shared environments in which ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet. For example:

    • Hotels in which each room has a port for Internet access.

    • Networks configured to allow onsite access to vendors or contractors while keeping them isolated from the rest of the customer network.

    • ISP colocation in a data center.

  • IP address conservation and efficient IP address assignment. Hosts in secondary VLANs remain in a separate broadcast domain, but belong to the same IP subnet. Hosts in secondary VLANs are assigned IP addresses based on the IP subnets associated with the primary VLAN.

  • Backup networks, in which the backup server is in a PVLAN, and all the hosts using the backup server are configured on isolated secondary VLANs.