Private VLAN

The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource.

Hence, there was a requirement to create multiple network segregations with a minimum number of VLANs.

As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink.

A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access.

Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increase the potential for damage due to misconfiguration.

Ports can be isolated from each other at the data link layer (for security, performance, or other reasons), while belonging to the same IP subnet.

In such a case, direct communication between the IP hosts on the protected ports is only possible through the uplink connection by using MAC-Forced Forwarding or a similar Proxy ARP based solution.

Private VLAN Traffic Flow
Example of private VLAN port types on the switch