TP-LINK tl-sl5428e Data Sheet
6.8 Private VLAN
Private VLANs, designed to save VLAN resources of uplink devices and decrease broadcast, are
sets of VLAN pairs that share a common primary identifier. To guarantee user information security,
the ease with which to manage and account traffic for service providers, in campus network,
service providers usually require that each individual user is layer-2 separated. VLAN feature can
solve this problem. However, as stipulated by IEEE 802.1Q protocol, a device can only support up
to 4094 VLANs. If a service provider assigns one VLAN per user, the VLANs will be far from
enough; as a result, the number of users this service provider can support is limited.
sets of VLAN pairs that share a common primary identifier. To guarantee user information security,
the ease with which to manage and account traffic for service providers, in campus network,
service providers usually require that each individual user is layer-2 separated. VLAN feature can
solve this problem. However, as stipulated by IEEE 802.1Q protocol, a device can only support up
to 4094 VLANs. If a service provider assigns one VLAN per user, the VLANs will be far from
enough; as a result, the number of users this service provider can support is limited.
Private VLAN adopts Layer 2 VLAN structure. A Private VLAN consists of a Primary VLAN and a
Secondary VLAN, providing a mechanism for achieving layer-2-separation between ports. For
uplink devices, all the packets received from the downstream are without VLAN tags. Uplink
devices need to identify Primary VLANs but not Secondary VLANs. Therefore, they can save
VLAN resources without considering the VLAN configuration in the lower layer. Meanwhile, the
service provider can assign each user an individual Secondary VLAN, so that users are separated
at the Layer 2 level.
Secondary VLAN, providing a mechanism for achieving layer-2-separation between ports. For
uplink devices, all the packets received from the downstream are without VLAN tags. Uplink
devices need to identify Primary VLANs but not Secondary VLANs. Therefore, they can save
VLAN resources without considering the VLAN configuration in the lower layer. Meanwhile, the
service provider can assign each user an individual Secondary VLAN, so that users are separated
at the Layer 2 level.
Private VLAN technology is mainly used in campus or enterprise networks to achieve user
layer-2-separation and to save VLAN resources of uplink devices.
layer-2-separation and to save VLAN resources of uplink devices.
The Elements of a Private VLAN
Primary VLAN: A Private VLAN has one Primary VLAN and one Secondary VLAN. Primary VLAN
is the user VLAN uplink device can identify but it is not the actual VLAN the end user is in. Every
port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional
traffic downstream from the promiscuous ports to the host ports and to other promiscuous ports.
Secondary VLAN: .Secondary VLAN is the actual VLAN the end user is in. Secondary VLANs are
associated with a primary VLAN, and are used to carry traffic from hosts to uplink devices.
Promiscuous: A promiscuous port connects to and communicates with the uplink device. The
PVID of the promiscuous port is the same with the Primary VLAN ID. One promiscuous port can
only join to one Primary VLAN.
Host: A host port connects to and communicates with terminal device. The PVID of the host port is
the same as the Secondary VLAN ID. One host port can only belong to one Private VLAN.
Features of Private VLAN
1. A Private VLAN contains one Primary VLAN and one Secondary VLAN.
2. A VLAN can not be set as the Primary VLAN and Secondary VLAN simultaneously.
3. A Secondary VLAN can only join one private VLAN.
4. A Primary VLAN can be associated with multi-Secondary VLANs to create multi-Private
VLANs.
Private VLAN Implementation
To hide Secondary VLANs from uplink devices and save VLAN resources, Private VLAN
containing one Primary VLAN and one Secondary VLAN requires the following characteristics:
82