Sunday , October 22 2017
Home / Technology / Private VLAN: A simple Layer 2 security approach
Figure 1: Graphical representation of the experimental test bed

Private VLAN: A simple Layer 2 security approach


The last two years have seen some major online security breaches that made headlines around the world. Some victims were more well-known names, such as Sony and MasterCard. The rising threat of so-called ‘Hactivists’ around the world means that network security must be integrated into the core network design. This paper presents a simple layer 2 security solution that could protect different parts of the network from external affects. If part of the network becomes compromised, this solution would prevent the breach from spreading to the rest of the network.

Security is an indispensable part of any organization that uses computer networks. Connectivity to the Internet has been threatening the integrity of network infrastructure and violating the privacy of its users [1] for a long time now. Physically disconnecting the network from the Internet is one way to secure the network but it is an extreme method and may not always be possible. It also deprives the network from the benefits that come with connectivity to the world. Other solutions must be explored. This paper presents the solution of using Private Virtual Local Area Networks (PVLANs). PVLANS is just one form of security that can protect against network attacks. This article assumes basic knowledge of networks and security on the part of readers. Interested readers are directed to [1], [2], [3], and [4] for further information.

All security breaches cannot be treated the same. Some attacks may not even be noticed and no data is lost but it is important to have the network protected against even the smallest breach. This article recommends the use of routers that can be manually configured. In the experiments, a Cisco router has been used. Routers, provides security for the computer‟s access points or ports, as well as filtering communications and blocking unauthorized access [3].

Virtual Local Area Network (VLAN) is a layer 2 technology that segments a single broadcast domain into multiple broadcast domains. VLAN technology was created to simplify management of densely populated networks. Private VLANs are just VLANs inside a big primary VLAN. PVLAN provides a security technique that isolates the nodes connected to a primary VLAN by imposing restrictions at layer 2.

How PVLAN works
PVLAN works using a real world simple scenario [4]. We have a DMZ on the network where the servers have been hosted as seen in Figure 1. Inside DMZ, there are three servers, the Apache (WWW) Server, MySQL server and an FTP Server. The web server and MySQL servers go hand in hand because the web server hosts a Content Management System (CMS) that pulls all its data from MySQL server; so those two servers have to be able to speak to each other. The FTP server operates alone on the network and is used to dump files at the destination. The goal is to make sure that any of the servers get compromised, the other servers are safe. The practical steps required to accomplish this are presented below.

PVLAN consists of two types of VLANs:
1) Primary VLAN and
2) Secondary VLANs (Child VLANs).

Primary VLAN is the VLAN (Subnet) that should be used for DMZ and secondary VLANs are just child VLANs of the Primary VLAN.

PVLAN normally operates using 2 main ports:
1) Promiscuous Port and 2)Host Port.

Host Port is also of two types:
a) Isolated Host Port and
b) Community Host Port. All are discussed here.

Promiscuous Port (P PORT): Any device connected to this port can be reached by any device within the PVLAN. All of the VLANs can reach the promiscuous port. It is the port which is normally connected to the router or gateway.

Isolated Port (I Port): It is called Isolated port because no device inside the PVLAN can talk to this port. This port communicates with Promiscuous Port only through which it can reach the Internet. In the scenario above, the port is configured to that which that FTP Server is connected as isolated port.

Community Port (C Port): The Apache (www) server and the MySQL server end up inside a Community VLAN and the ports to which these servers are connected are configured as Community Ports. The servers inside the community VLAN can talk to each other and also can reach the Internet using the Promiscuous Port.

Here if the FTP Server gets compromised or, in other words, if the FTP Server is infected with a malicious Trojan, the Trojan can only take control of the FTP Server which is completely isolated from reaching other servers in the DMZ; so private VLANs are pretty powerful for providing Isolation and Segmentation within one VLAN.

Isolating one part of the network from the rest can control the effect of a network security breach over the rest of the network. In the experiments the FTP server was isolated from the WWW and MySQL servers. A security breach of the WWW server will not affect the FTP server, hence minimizing the impact of the attack. This is one simple way to secure the network using a router.


  1. M. Rafik, “Internet security architecture”, Elsevier Science, Computer Network, Vol. 31, pp 787-804, 1999.
  2. O. Poole, “Network Security: A practical guide”, Butterworth-Heinemann, 2003
  3. E. A. Schirick, “Computer Network Security – Evolving Risks”, Campaign Magazine, March/April 2012.
  4., accessed on 05 November 2012.
  5., accessed on 05 November 2012.

Check Also

په افغانستان کې تلیفوني اړیکې خونديتوب: مکالمې څنګه اورېدل کیږي؟

‌BY: Mohammad Shafi Wardak د اړیکو په نړۍ کې ګرځنده یا موبایل ټلیفون اوس یوه ...

Leave a Reply

Your email address will not be published. Required fields are marked *