Netgear M5300-52G3 Web Management User Guide - Page 407

ProSafe M5300 Switch Private VLAN The Private VLANs feature provides Layer 2 isolation between ports that share the same broadcast domain. In other words, it allows a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains. The ports participating in a private VLAN can be located anywhere in the Layer 2 network. Each subdomain is defined (represented) by a primary VLAN and a secondary VLAN. The primary VLAN ID is the same for all subdomains that belong to a private VLAN. The secondary VLAN ID differentiates subdomains from each another and provides Layer 2 isolation between ports of the same private VLAN. Private VLANs are typically implemented in the DMZ for security reasons. Servers are not supposed to communicate with each other, but they need to communicate to a router through which they are connected to the users. Such servers are typically connected to host ports and routers are attached to promiscuous ports. Then, if one of the servers is compromised, the intruder cannot use it to attack another server in the same network segment. The same traffic isolation can be achieved by assigning each port with a different VLAN, allocating an IP subnet for each VLAN and enabling L3 routing between them. On the other hand, in a private VLAN domain, all members can share a common address space of a single subnet which is associated with a primary VLAN. So, the advantage of the private VLANs feature is that it reduces the number of consumed VLANs, improves IP addressing space utilization, and helps to avoid L3 routing. The Private VLAN folder contains links to the following features: • Private VLAN Type Configuration on page 407 • Private VLAN Association Configuration on page 408 • Private VLAN Port Mode Configuration on page 409 • Private VLAN Host Interface Configuration on page 410 • Private VLAN Promiscuous Interface Configuration on page 411 Private VLAN Type Configuration Use this page to set an existing VLAN as a private VLAN type. A private VLAN can be one of the following types: • A Primary VLAN forwards the traffic from the promiscuous ports to isolated ports, community ports and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN. All ports within a private VLAN share the same primary VLAN. • An Isolated VLAN is a secondary VLAN. It carries traffic from isolated ports to promiscuous ports. Only one isolated VLAN can be configured per private VLAN. • A Community VLAN is a secondary VLAN. It forwards traffic between ports which belong to the same community and to the promiscuous ports. There can be multiple community VLANs per private VLAN. To display the Private VLAN Type Configuration page, click the Security  Traffic Control  Private VLAN > Private VLAN Type Configuration. Managing Device Security 407