What is a private VLAN? Eight part essay with pictures and texts.

special VLAN Technology has been coming out for a long time , But sometimes they are relatively complicated to configure .

this paper , I will show you about private VLAN The concept of .

In daily work , The computers of colleagues in an office do not communicate with each other , Or there is no interaction between the computer inside the office and the external server , Generally, all traffic will pass through the gateway outside the intranet , By it .

The following example shows communication through the gateway server （ Whether deployed internally or outside the organization ） Several scenarios , These servers host the services we intend to use ：

These figures show that the traffic reaches the target host through the uplink connection instead of directly , This indicates that the ability to communicate directly with hosts on the same subnet is usually not necessary , But a burden .

Broadcast area

The first 2 Layer switches allow devices connected to their ports to communicate directly with each other at the data link layer , in other words , No intermediate devices such as routers or firewalls are required ; therefore , The same VLAN Hosts on are said to share the same broadcast domain .

This also means that their traffic is not usually analyzed , It will not be blocked when a device is threatened , under these circumstances , The infected host can freely infect or attack other machines on the same network segment .

There are a variety of techniques to prevent or mitigate such behavior , for example NAC、 Inline probe .

Network segmentation

In an organization , Usually, different departments of the company are separated , So that a department （ Finance ） Host with another department （ Namely marketing ） The host is separated .

There are many reasons for this separation ：

• Just look at its IP The subnet can easily identify which group the host belongs to
• Besides , When a host leaves its subnet to reach another device outside its network , It needs to pass through an intermediate node , Such as routers or firewalls , This facilitates the introduction of flow restriction rules . Network segmentation

Although this separation applies to different parts of the network , But if we want to stop the same VLAN What about the traffic between hosts in the ？ As we can see from the previous example , We usually don't need these hosts to access each other , We would rather avoid this situation .

Due to the characteristics of shared broadcast domain , The host can communicate directly , No intermediate equipment is required , So the solution is to activate Private VLAN To configure , Instructs the underlying switch to modify and restrict specific VLAN The flow inside .

special VLAN

Under normal circumstances , Switches allow traffic to flow from one port to the same port VLAN Any other port in the , As shown in the following example ：

If now we will VLAN Configure to PRIVATE, We can see that traffic will no longer flow from one port to another ：

Of course, this situation is of little use , We still need a port to receive our traffic ;

Usually, this is the port to which our local gateway is connected , It was named Hybrid port ：

Although hybrid ports can be private VLAN All other ports in （ be called Isolation port ） Receive traffic , But these ports will not be able to send traffic to each other ：

As mentioned earlier , The same isolated port will continue to send and receive traffic to the hybrid port ：

The term ：

For a better understanding of dedicated VLAN The operation behind it , Understand the technical terms involved ：

Isolation port ： Only traffic from these ports is allowed to flow to hybrid ports , No traffic can flow from one isolated port to another , This prevents any attempt to go from one host to the same VLAN To communicate with another host in the , In our chart , We use yellow markers to indicate these ports .

Hybrid port ： This is the only port that can send traffic to the isolated port , The isolated ports cannot send traffic to each other , So the only traffic they receive is traffic from that port . In our chart , We indicate this port with a red flag .

Public port ： Join the public vlan The ports in are called public ports , In our chart , We use blue markers to indicate these ports .

Example 1, Isolation port ：

In the following illustration , We can see the connection to tradition VLAN The host .

Traffic can move freely from one host to another , To the gateway , In order to reach the external subnet .

Once we will VLAN Configure as private , The traffic between hosts will be blocked .

In order to provide to VLAN External connection of the , We configure a port to be promiscuous and connected locally GW：

therefore ,Hosts There is no mutual access at all , But they can only access their VLAN Outside the service .

Example 2：

Now suppose our VLAN There is a group of hosts that still need to communicate with each other , These may be two hosts sharing a local folder , For some reason it cannot be moved to the central server .

Although we still want to protect these hosts from VLAN The impact of other equipment in , But we also need to allow them to access each other directly and to be able to access hybrid ports to leave the subnet .

By configuring the ports connected to these two specific hosts as public ports , Allow traffic flow between these two ports and the hybrid port , There will be no flow from or into the isolation port .

From a switch perspective , It is necessary to distinguish the traffic entering from the hybrid port and the traffic entering through the isolated port .

This is done by defining two different VLAN To obtain the , A master VLAN Traffic entering from the hybrid port will be identified , And auxiliary VLAN Will represent the traffic entering from the isolated port .

The following table helps to summarize this concept ：

• Lord VLAN | Mark the traffic entering from the hybrid port
• auxiliary VLAN | Mark the traffic entering from the isolation port

summary

As security becomes an increasingly important factor for every company , private VLAN Provides a fast and simple solution to increase isolation between hosts .

This method can be applied to the visitor network , And most access networks , Even small data centers with physical servers .

By adding multiple masters and slaves to the same switch VLAN, Even by taking private VLAN Extend the concept to other devices to get a distributed concept , This concept can be further enriched .

Now , private VLAN The application of macro segmentation also appears in VXLAN In the network , To support complex security options such as zero trust .