Private VLAN (PVLAN)

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 3 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANS and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLAN inside VLAN”.

There are three types of ports in PVLAN:

1.     Isolated – only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.

2.     Promiscuous – can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

3.     Community – can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.