Private VLAN is a security concept that is used primarily in data centers or server farms where multiple servers from different organizations are connected together.
There may be a situation where Team A may be placing two servers, Team B would be placing another two servers, and Team C has one server, all in the same physical data center space. Obviously, Team A would to isolate their network traffic from the other teams and vice verse. This would improve their security and privacy.
We may realize at this point that to fulfill this requirement, we can create three VLANs on the switch connected to the three teams' devices. And for communication purposes, each VLAN has to be associated with a subnet. But if instead of three, there a hundred VLAN requirements, we may need to accommodate a hundred subnets, which in most cases can cause a scalability issue.
Hence to fulfill the requirement, we can go for private VLANs where we associate all the users connected to a group of switches under a single VLAN. So basically the isolation happens within a single VLAN that addresses the scalability factor of using multiple subnets.
Private VLANs can be sub-categorized into two VLANs:
- Primary VLAN
- Secondary VLAN
In private VLANs, we also come across three port types:
- Promiscuous
- Community
- Isolated
Generally, the primary VLAN is associated with the promiscuous port and the secondary VLAN can be used for community and isolated ports. Let's break it down.
The primary VLAN is the single VLAN that maps a group of ports under one single, private VLAN domain. Multiple secondary VLANs can be associated with the primary VLAN. The point to be noted is that the primary VLAN only would be transparent to the external world operations, such as inter-VLAN routing.
Secondary VLANs can be created for community ports and isolated ports. So what are the functionalities of these ports? Community ports are the ports that can talk to their community ports as well as the promiscuous port but not with isolated ports. Isolated ports can only communicate with the promiscuous port. Promiscuous ports are the ports that can communicate with all ports.
Let's explain that with an illustration:
In this example, we can see that the data center switch is connecting three different organizations servers, namely Cisco, HP, and Microsoft.
Since Cisco and Microsoft have two servers each, they would like to create two community VLANs so that the Cisco servers can talk to each other and avoid communication with other servers. We can expect a similar requirement for the Microsoft servers.
Since HP has a single server, there is no need for the server to talk to other servers. Hence HP can be associated with an isolated VLAN so that it can only communicate with the promiscuous port.
As all the users need to talk to the external world, which is through the default gateway, the switch port connected to the router should be configured as a member of the primary VLAN, which is the promiscuous port.