Overview PVLAN

To realize isolation between users but make the users still capable of accessing public resources, usually one VLAN needs to be created for one user. However, the total number of VLANs is only 4094, if the number of users is larger than the number of VLANs, the number of VLANs becomes a bottleneck. In addition, it is not easy to configure, manage, and maintain a large number of VLANs. To address the requirement, Private VLAN (PVLAN) emerges. It provides a flexible VLAN configuration mode in which VLAN and IP address resources can be reasonably allocated and used, simplifying network configuration.

In a PVLAN, a two-layer VLAN structure is used, that is, primary VLAN and secondary VLAN. Primary VLANs are usually connected to upstream devices, and secondary VLANs are usually connected to downstream devices. According to layer-2 forwarding rules, secondary VLANs are categorized into the following two types:

• Isolated VLAN: The member ports in an isolated VLAN are isolated from each other at layer 2, and the member ports from different isolated VLANs are also isolated from each other. To achieve isolation of users, you only need to add the ports to which the users are connected to isolate VLANs.
• Community VLAN: The forwarding rules of a community VLAN is the same as those of a common VLAN. The member ports in the same community VLAN can communicate with each other at layer 2, while the ports are isolated from member ports in other community VLANs or isolated VLANs.

After a primary VLAN sets up an association relation with secondary VLANs, the member ports in the secondary VLANs can communicate with the member ports in the primary VLAN at layer 2, and the member ports in the secondary VLANs can communicate with external devices at layer 3 through the VLAN interface of the primary VLAN.

PVLANs have two special port link types, Promiscuous and Host. Promiscuous ports can only be added into primary VLANs, and Host ports can only be added into secondary VLANs. The Host ports that are added into community VLANs are also called community ports, and the Host ports that are added into isolated VLANs are also called isolated ports.