Private VLAN
Encyclopedia
A private VLAN is a technique in computer networking where a VLAN
contains switch
ports that are restricted, such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation
group) connected to a router, firewall
, server
, provider
network, or similar central resource.
The switch forwards all frames received on a private port out the uplink port, regardless of VLAN ID or destination MAC address
. Frames received on an uplink port are forwarded in the normal way (i.e., to the port hosting the destination MAC address, or to all VLAN ports for unknown destinations or broadcast frames). "Peer-to-peer
" traffic is blocked. Note that while private VLANs provide isolation at the data link layer, communication at higher layers may still be possible.
A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access
. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer
communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing
, as well as increasing the potential for damage due to misconfiguration.
Another application of private VLANs is to simplify IP
address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet
. In such a case direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding
or a similar Proxy ARP
based solution.
Virtual LAN
A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location...
contains switch
Network switch
A network switch or switching hub is a computer networking device that connects network segments.The term commonly refers to a multi-port network bridge that processes and routes data at the data link layer of the OSI model...
ports that are restricted, such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation
Link aggregation
Link aggregation or trunking or link bundling or Ethernet/network/NIC bonding or NIC teaming are computer networking umbrella terms to describe various methods of combining multiple network connections in parallel to increase throughput beyond what a single connection could sustain, and to provide...
group) connected to a router, firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
, server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
, provider
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
network, or similar central resource.
The switch forwards all frames received on a private port out the uplink port, regardless of VLAN ID or destination MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
. Frames received on an uplink port are forwarded in the normal way (i.e., to the port hosting the destination MAC address, or to all VLAN ports for unknown destinations or broadcast frames). "Peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
" traffic is blocked. Note that while private VLANs provide isolation at the data link layer, communication at higher layers may still be possible.
A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access
Internet access
Many technologies and service plans for Internet access allow customers to connect to the Internet.Consumer use first became popular through dial-up connections in the 20th century....
. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer
Data link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing
ARP spoofing
ARP spoofing, also known as ARP cache poisoning or ARP poison routing , is a technique used to attack a local-area network . ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether...
, as well as increasing the potential for damage due to misconfiguration.
Another application of private VLANs is to simplify IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
address assignment. Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet
Subnetwork
A subnetwork, or subnet, is a logically visible subdivision of an IP network. The practice of dividing a network into subnetworks is called subnetting....
. In such a case direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding
MAC-Forced Forwarding
MAC-Forced Forwarding is used to control unwanted broadcast traffic and host-to-host communication. This is achieved by directing network traffic from hosts located on the same subnet but at different locations to an upstream gateway device...
or a similar Proxy ARP
Proxy ARP
Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network...
based solution.
Related Requests For Comments
- RFC 5517 – Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment