In the packet switching theory there is a wonderful thing called private VLAN. It allows you to have a VLAN (meaning: a single L3 domain) in which the clients cannot talk to each other, but only to one designated uplink port. If you provide network access to different customers and need to keep them separate while still using a common IP address space, this an excellent way to do it… with only one drawback: many cheap switches which support 802.1q VLANs have never heard of private VLANs. The latter is true even for not-so-cheap switches from brand-name manufacturers, which add this feature only to their mid-range devices. So, is there a way out? Yes, there is. In fact you can perfectly simulate private VLANs even if your switch does not support them. Here’s the secret that can save you a pile of money.
To keep it simple, we’ll only use 3 ports (you can extend this to as many as you want): port 1 is our uplink port (to which all isolated ports should be able to talk to); ports 2 and 3 are our isolated ports that can only talk to the uplink port. All three ports should be configured untagged. The secret lies in the VLAN numbers used for each port and the port VLAN IDs (PVIDs) which are set.
All isolated sports should be members of the same VLAN, but each should have its separate PVID – unique for each port and different from their VLAN ID:
- port 2: VLAN ID 10; PVID 12
- port 3: VLAN ID 10; PVID 13
Note: this configuration uses a trick: it assigns as PVID a VLAN ID of which the port is not a member. Not all switches will allow this. If they do not, simply add the PVID as a second VLAN ID to the port, e.g. port 2: VLAN ID 10, 12; PVID 12. This will not break anything.
The uplink port should be member of all VLAN IDs that are set as PVIDs on the isolated ports and should have the VLAN ID of the isolated ports as its PVID:
- port 1: VLAN IDs 12, 13; PVID: 10
Let’s see how it works:
- A host, connected to port 2 wants to sent a packet to a host, connected to port 1: the packet enters port 2 and is attached a VLAN 12 tag. The packet then reaches port 1, which is member of VLAN 12 and leaves it after being stripped of the tag. The same packet will never reach port 3, because port 3 is not member of VLAN 12. Thus, if the packet was, say, a who-has ARP packet, only the host connected to port 1 will get it and eventually answer it.
- A host, connected to port 1, wants to send a packet to a host, connected to port 2: the packet enters port 1 and is attached a VLAN tag 10. The packet then reaches ports 2 and 3, which are both members of VLAN 10. If the packet has a destination MAC address, the switch will only send the packet to the port where this MAC address was last seen. If the packet has no destination MAC address (say, it is a who-has ARP packet), it will be sent to both ports 2 and 3.
Voila, you just got you poor man’s private VLAN up & running!