Cisco Blogs

Private VLANs

- January 28, 2009 - 2 Comments

This can be a tough topic to understand for sure. A Private is not a VLAN nor do any of the essential VLAN rules apply. A VLAN is a layer 2 boundary and a Private VLAN is really a layer 1 boundary kinda… A Private VLAN is really port isolation. When I config up a private VLAN I am basically telling the switch, ignore port X from your bridge table. A Private VLAN is really allowing YOU the network admin to dictate communication behavior. Consider, I have a hotel or apartment and I want to provide Internet access for all folks BUT I do not want them to see each other. With the VLAN model, I have to route to do this PLUS carry all of the VLAN protocol overhead.A better way, would be to define one common port for Internet access that every port would access, lets say port 1. On a 48 port switch, the other 40 ports, need only to access port 1 and that is it, but the remaining 5 ports need to talk to each other because they are the door security system. So a private VLAN fits the bill here in a simple fashion. port 1 is a community port. I would set up a private vlan that would allow ports 2-43 to access only port 3 and the is it. Then another private vlan would be for my security system which would allow the doors to communicate with the server, but that is it.So the REAL question is, are they secure? Well, they can indeed isolate your ports in their own micro segment. If a hacker cracks one device they can not use it as a jumping off point to all the rest in that subnet. I caution folks when calling VLANs and Private VLANs a security feature. In my testing here in the code cave, I have noticed that a packet sent from a device on an isolated port to another device on another isolated port will not be passed by the switch. Works as planned right? Very true but a packet sent from a device to the MAC address of the default gateway will be passed through the switch. If at an IP layer, it’s addressed to another isolated device, the GW will pass it. I always recommend access lists as to protect against this behavior. I love ‘um and use them often, I just know they are part of my security tool chest and not the end all to be all. Of course in security, what is? Summing it up:Private VLANS: Are only used per switch.VLANS: can span the entire networkPrivate VLANS: allow only data traffic to and from the mapped portsVLANS: allow maintenance protocols per VLAN like NTP, VTP, ICMP, etcPrivate VLANS: have specific uses like; service providers, hotels, DMZ’sVLANS: are used for applications like wireless, voice, political boundaries, etc..Jimmy Ray Purser

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. This is what I was looking for.Thanks for explain me like a Human.I read bunches of cisco press books and they explain like c3po.(Is Cisco really the humman netork ?)

  2. I would like to add clarification on the comparison of Private Vlans and Port Isolation. The two have similar behavior in a non-trunked untagged environment(even to the point of Private Vlans being billed as Port Isolation or a Protected Port) but are actually quite functional different. Port Isolation is an egress check based on the source port id -- an internal tag specific to the network ASIC. If a source port id is not allowed, the frame will not be allowed to egress.Private Vlans are 2 or more vlans sharing a common mac table utilizing either vlan transformation or egress untag behavior to give the appearance of a same vlan. Essentially, Downstream traffic is on the Primary vlan and upstream traffic is on the secondary vlan.For example, An ME3400 port 1 is a promiscuious port and 2,3,4 are Isolated ports each utilizing a unique secondary vlan id. Traffic ingressing from Port 1 has the internal VID of the primary vlan. Since the primary Vlan also learns the MACs secondary vlans, frames are forwarded to the correct based on unicast destination. At egress the primary vlan tag is stripped and egresses untagged. This gives the appearance of downstream traffic beining on the same vlan. The same is true for ingress from an isolated port (i.e. Port2). The internal vlan is the secondary vlan id. Since the secondary vlan also has MACs learned from the primary vlan, the frame is forwarded based on destination unicast mac. Then egresses untagged. This gives the appearance of upstream traffic appearing on the same vlan.This is a simplest example (and does not involve vlan transformation), but should explain the functional difference. Additionally, it is this exact behavior that allows Private Vlans to be trunked between different Cisco switches. So two 48 port switches could be conceivably chained together, and have a common behavior.Also, kudos on the security comment about private vlans and routing through the same interface on the router.