A Virtual Local Area Network (VLAN) is a logical grouping of devices on one or more LANS, configured to communicate as if they were on the same segment. In order to communicate with devices in another VLAN, a Layer 3 device must be present for routing.
One way to simplify a multi-VLAN deployment is by use of the Private VLAN (PVLAN) feature. PVLANs achieve isolation at Layer 2 between ports in the same VLAN. This is done by designating the ports as one of three types: promiscuous, isolated, orcommunity. Each designation has its own unique set of rules which regulate the ability to communicate with other devices in the same VLAN.
Promiscuous Ports: These ports have the ability to communicate with all other ports within the PVLAN. The default gateway for the network segment would likely be a promiscuous port, since all devices need to be able to communicate with the gateway.
Isolated Ports: These ports have Layer 2 separation from all other ports within the PVLAN, except for promiscuous ports. A PVLAN will block all traffic to an isolated port, except the traffic originating from a promiscuous port. A common example is a hotel or university network, where end users would have Internet access but no access to other clients.
Community Ports: These ports are able to communicate among all other community ports, as well as promiscuous ports. Many enterprise networks will contain community ports, allowing clients to communicate directly with other internal devices such as database or email servers.
Each of these port types are also associated with specific VLAN types, which work together with the port designations to create a PVLAN structure.
The Native VLAN is simply the untagged VLAN on an 802.1q trunked switchport. The 802.1Q protocol provides a way for ethernet frames to be tagged with specific VLAN identifiers. Any untagged frames arriving on a trunk port are assumed to be a member of the Native VLAN.
When configuring a trunk port, the Native VLAN should be set to the same value on each end in order to avoid Spanning Tree Protocol (STP) loops. By default, the native VLAN is set to VLAN 1. A recommended best practice is to change the Native VLAN to another unused VLAN where no hosts or other devices reside. This is done in order to avoid VLAN hopping attacks such as double-tagging.
It’s easy to confuse the ideas of the Native VLAN and the Default VLAN. Just to provide clarity about these terms, the following can be stated:
A few other recommended best practices in regard to VLAN security includes the following: