Confused about what a Private VLAN is, as compared to a “normal” VLAN. Hopefully this article will make it all clear.
Why do we need Private VLANs?
VLANs are used to segregate the network. Let’s say you have a simple network where you have split off your backend server network from your end user computing network. Lets say you have all of your servers on a class C subnet 192.168.1.0 and all of your end user computers on 192.168.2.0. These may be separate physical network switches but more likely than not they will be run on the same physical switch stack and separated by the use of VLANs.
Now all of the servers on the server VLAN can talk to all of the other servers on the server VLAN. What happens if someone/thing compromises one of your servers. That server then has access to all of the other servers on that VLAN.
Wouldn’t it be better if the servers on the server VLAN could only communicate with the others servers that they need to?
Yes, I hear you say, and yes we could give each server its own VLAN. But there is a limit on the number of VLANs you can have, which is 4096; some network switches support a much lower limit such as 256.
Along comes PVLANs
What is a PVLAN?
PVLANs are a way of “chopping” up a VLAN into smaller chunks which may or may not be able to talk to other devices within the same VLAN/PVLAN.
There are 3 types of PVLAN
- Primary Promiscuous PVLAN
- Secondary Isolated PVLAN
- Secondary Community PVLAN
You start off with the source VLAN which becomes the Primary Promiscuous PVLAN and then you can create a number of Secondary PVLANs, either Isolated or Community.
Devices in an Isolated PVLAN can ONLY communicate with devices in the Primary Promiscuous PVLAN. They CANNOT communicate with other devices, even if they are on the sae Isolated PVLAN.
Devices in a Community PVLAN can communicate with other devices in the same Community PVLAN and the devices on the Primary Promiscuous PVLAN.
Examples of PVLAN Use
Some of the examples of where PVLANs can be useful are: –
- End User Computing. When the end user computers are connected an Isolated PVLAN then this secures each end user device so that it cannot communicate with other end user devices. This would be a good idea for a public WiFi service, where the gateway out to the internet is on the Primary Promiscuous PVLAN and each device connected to the WiFi is on an Isolated PVLAN so that they cannot communicate with other customers devices.
- Backup Network. The backup server would be implemented on the Primary PVLAN with each device needing to be backed up on an Isolated PVLAN as they only need to be able to communicate with the backup server across the backup network and not the other devices on the backup network