A Virtual Local Area Network (VLAN) allows you to logically segment a Local Area Network (LAN) into different broadcast domains. In scenarios where sensitive data may be broadcast on a network, VLANs can be created to enhance security by designating a broadcast to a specific VLAN. Only users that belong to a VLAN are able to access and manipulate the data on that VLAN. VLANs can also be used to enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations.
A Private VLAN provides layer-2 isolation between ports. This means that at the level of bridging traffic, as opposed to IP routing, ports that share the same broadcast domain cannot communicate with each other. The ports in a private VLAN can be located anywhere in the layer 2 network, which means they do not have to be on the same switch. The private VLAN is designed to receive untagged or priority-tagged traffic and transmit untagged traffic.
The following types of ports can be members in a private VLAN:
Promiscuous — A promiscuous port can communicate with all ports of the same private VLAN. These ports connect servers and routers.
Community (host) — Community ports can define a group of ports that are member in the same Layer 2 domain. They are isolated at Layer 2 from other communities and from isolated ports. These ports connect host ports.
Isolated (host) — An isolated port has complete Layer 2 isolation from the other isolated and community ports within the same private VLAN. These ports connect host ports.
Host traffic is sent on isolated and community VLANs, while server and router traffic is sent on the primary VLAN.
This article provides instructions on how to configure private VLAN settings on a switch.
1.4.7.05 — Sx300, Sx500
184.108.40.206 — Sx350, SG350X, Sx550X
Configure Private VLAN Settings on a Switch
Important: Before proceeding with the steps below, make sure VLANs have been configured on the switch. To know how to configure VLAN settings on your switch, click here for instructions.
Step 1. Log in to the web-based utility and choose Advanced from the Display Mode drop-down list.
Note: If you have an Sx300 or Sx500 Series switch, skip to Step 2.
Note: The available menu options may vary depending on the switch that you have. In this example, SG350X switch is used.
Step 3. Click the Add button.
Step 4. In the Primary VLAN ID drop-down list, choose a VLAN to be defined as the primary VLAN in the private VLAN. The primary VLAN is used to allow Layer 2 connectivity from promiscuous ports to isolated ports and to community ports.
Note: In this example, VLAN ID 10 is chosen.
Step 5. Choose a VLAN ID from the Isolated VLAN ID drop-down list. An isolated VLAN is used to allow isolated ports to send traffic to the primary VLAN.
Note: In this example, VLAN ID 20 is chosen.
Step 6. Choose a VLAN ID from the Available Community VLANs area then click the > button to move the VLANs that you want to be community VLANs to the Selected Community VLANs list.
Note: To create a sub-group of ports (community) within a VLAN, the ports must be added a community VLAN. The community VLAN is used to enable Layer 2 connectivity from community ports to promiscuous ports and to community ports of the same community. There can be a single community VLAN for each community and multiple community VLANs can coexist in the system for the same private VLAN.
Note: In this example, VLAN ID 30 is chosen.
Step 7. Click Apply then click Close.
Step 8. (Optional) Click Save to save settings to the startup configuration file.
You should now have configured the private VLAN settings on your switch. To learn how to configure VLAN interface settings on a 300 or 500 series switch, click here for instructions. For 350, 350x, or 550 series switch, click here.