We have updated our SSO (Single Sign On) - Login to all Zyxel Systems with a MyZyxel Account! Learn More!

Open Article
English Български Čeština Dansk Deutsch Español Suomi Français Magyar Italiano Nederlands Norsk Polski Română Русский Slovenčina svenska Türkçe

Private VLAN VLAN icon

Avatar
  • Updated
Back to top

[Standalone] Private VLAN: To provide a secure environment for each user in the same VLAN, we block traffic between users in the same VLAN. 

 

Background

Using 802.1Q tagged-based VLAN, we cannot block clients in the same VLAN communicate with each other

mceclip0.png

Take a look at this scenario. It blocks traffic from port 3/4/5 to achieve the security network environment for small business unit.

 

Workaround

Port isolation (L2 isolation)

  • Port 3-5 cannot communicate with each other
  • Port 3-5 can communicate with uplink port 24

We can enable port isolation on port 3/4/5. isolated ports (3-5) cannot communicate with each other. But they can communicate with uplink port 24 to access the Internet.

mceclip1.png

Problem with Port Isolation: If port 3-4 of a new VLAN 200 would like to communicate with each other, port isolation cannot make this.

 

Solution Privat VLAN:

Benefits of a Private VLAN are to provide a new method to block traffic between ports in the same VLAN. Users do not need to enable port isolation to achieve the goal, which is to secure the network at the site.

Users can specify which ports in the same VLAN are not to be isolated by adding them to the promiscuous port list.

The switch automatically adds other ports in this VLAN to be isolated ports and blocks traffics between the isolated ports.

The promiscuous ports can communicate with any ports in the same VLAN.

However, isolated ports can communicate with the promiscuous ports only.

 

So there two Port Rules for it:

  • Promiscuous Port = Can communicate with any ports in the same VLAN
  • Isolated Port = Can communicate with promiscuous port only in the same VLAN

mceclip2.png

How Does Private VLAN Work

  • Configure promiscuous port

mceclip3.png

Take a look of example; port 3/4/5/24 are configured to be members of VLAN 100. 

Port 24 is selected as a promiscuous port in Private VLAN ID: 100.

The switch automatically adds port 3/4/5 of VLAN100 to be isolated ports and blocks traffic between them.

 

How to Configure Private VLAN

  • Advanced Application > Private VLAN

mceclip4.png

Users configure a promiscuous port for a specific VLAN. So the rest ports of the same VLAN will become isolated ports.

 

 

VLAN (Virtual Local Area Network) basic configuration:

How to configure VLAN on Zyxel Switch [GS/XGS-Series]

GS1900: How to configure VLAN on Zyxel Switch

 

If you want to learn / know more about our VLAN design, please have a look here:

VLANs - Tagged VLANs vs. PVID (Setup Example Untagged/Tagged VLAN on a GS22XX-Switch)

VLANs - A deeper look at how they work

 

Setup Assistance, you´re looking for assisted configuration by our Professional Services Team? Please check here: Zyxel ConfigService Switch

 

https://support.zyxel.eu/hc/requests/new?ticket_form_id=114093996354
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments

0 comments

Article is closed for comments.