All hosts in an a broadcast domain can communicate with each other. For example, Figure 1 below shows 5 PC’s connected to a single switch, each configured with an IP address on the same subnet. If PC-1 was to ping PC-5, it will send an ARP request first, flooding the network and reaching all hosts. PC-5 will respond with an ARP reply and ICMP traffic will then be able to flow between hosts.
Figure 1: Private VLAN topology
But what if we wanted to stop PC-1 from communicating with PC-5, without creating additional subnets? Private VLANs can be set up for this purpose. When configured correctly, a private VLAN can segregate a VLAN so that some hosts can communicate with each other, whilst others cannot, even though all hosts are on same subnet sharing the same gateway.
When configuring private VLAN’s, a primary VLAN is configured first. Secondary VLAN’s are then associated with it.
Each secondary VLAN can be set up as community VLAN, or an isolated VLAN. In a community VLAN, all hosts in that community VLAN can communicate with each other. Hosts in an isolated VLAN cannot communicate with any other host.
The only exception to this rule is when a port is set up in promiscuous mode. A host connected a promiscuous port can communicate with all secondary VLANs. This is mainly reserved for devices such as routers, which would be the gateway of all the clients.
In Figure 1, PC-1 and PC-2 are in a community VLAN, so both PC’s can communicate with each other. They can also communicate with R1, because R1 is connected to a port in promiscous mode. However, they cannot communicate with any other host (PC-3, PC-4, PC-5).
PC-4 and PC-5 are also in a community VLAN, but a different one than that of PC-1 and PC-2. They too can communcate with R1 but not to any other host (PC-1, PC-2, PC-3).
PC-3 is in an isolated VLAN. It cannot communicate with any other host, except for R1.