[Stand-alone] Private VLAN: To provide a secure environment for each user in the same VLAN, we block traffic between users in the same VLAN. This article explains how to configure a Private VLAN in our L2+ / Layer 3 switches. Private VLANs are used to block traffic between ports in the same VLAN.
Background
Using 802.1Q tagged-based VLAN, we cannot block clients in the same VLAN communicate with each other
Take a look at this scenario. It blocks traffic from port 3/4/5 to achieve the security network environment for small business unit.
Workaround
Port isolation (L2 isolation)
- Port 3-5 cannot communicate with each other
- Port 3-5 can communicate with uplink port 24
We can enable port isolation on port 3/4/5. isolated ports (3-5) cannot communicate with each other. But they can communicate with uplink port 24 to access the Internet.
Problem with Port Isolation: If port 3-4 of a new VLAN 200 would like to communicate with each other, port isolation cannot make this.
Solution Privat VLAN:
Benefits of a Private VLAN are to provide a new method to block traffic between ports in the same VLAN. Users do not need to enable port isolation to achieve the goal, which is to secure the network at the site.
Users can specify which ports in the same VLAN are not to be isolated by adding them to the promiscuous port list.
The switch automatically adds other ports in this VLAN to be isolated ports and blocks traffics between the isolated ports.
The promiscuous ports can communicate with any ports in the same VLAN.
However, isolated ports can communicate with the promiscuous ports only.
So there two Port Rules for it:
- Promiscuous Port = Can communicate with any ports in the same VLAN
- Isolated Port = Can communicate with promiscuous port only in the same VLAN
How Does Private VLAN Work
- Configure promiscuous port
Take a look of example; port 3/4/5/24 are configured to be members of VLAN 100.
Port 24 is selected as a promiscuous port in Private VLAN ID: 100.
The switch automatically adds port 3/4/5 of VLAN100 to be isolated ports and blocks traffic between them.
1) Configure Private VLAN
Navigate to:
Old GUI:
Advanced Application > Private VLAN
New GUI:
SWITCHING > Private VLAN
2) Private VLAN Modes
Normal: These are ports in a static VLAN. This is not a private VLAN
Promiscuous: Ports in a primary VLAN is promiscuous. They can communicate with all ports in the primary VLAN and associated Community and Isolated VLANs. They cannot communicate with Promiscuous ports in different primary VLANs.
Isolated: Ports in an Isolated VLAN can communicate with Promiscuous ports in an associated Primary VLAN only. They cannot communicate with other Isolated ports in the same Isolated VLAN, non-associated Primary VLAN Promiscuous ports nor any Community ports.
Community: Ports in a Community VLAN can communicate with Promiscuous ports in an associated Primary VLAN and other community ports in the same Community VLAN. They cannot communicate with ports in an Isolated VLAN, non-associated Primary VLAN Promiscuous ports nor Community ports in different Community VLANs.
Users configure a promiscuous port for a specific VLAN. So the rest ports of the same VLAN will become isolated ports.
3) Configure Associated VLAN
Enter the VLAN ID of a previously created VLAN here.
Note! The VLAN ID and Mode selected here must be the same as the VLAN ID and VLAN Type created in
SWITCHING > VLAN > VLAN Setup > Static VLAN
VLAN (Virtual Local Area Network) basic configuration:
How to configure VLAN on Zyxel Switch [GS/XGS-Series]
GS1900: How to configure VLAN on Zyxel Switch
If you want to learn / know more about our VLAN design, please have a look here:
VLANs - Tagged VLANs vs. PVID (Setup Example Untagged/Tagged VLAN on a GS22XX-Switch)
VLANs - A deeper look at how they work
Setup Assistance, you´re looking for assisted configuration by our Professional Services Team? Please check here: Zyxel ConfigService Switch