Loader
Download the PDF 

Using Private VLANs

Document Number

ENG-010572

Introduction

This Application Note will explain Private VLANs and their implementation on the Tellabs OLAN products. 

Applies To

All OLAN OLTs. 

Private VLAN Description

Private VLAN also known as port isolation, is a technique where switch ports are restricted such that they can only communicate with a given uplink. A private VLAN is utilized for several purposes: 

  • Preventing any Layer 2 spoofing attacks.  Layer 2 spoofing attacks often attempt to learn the MAC address of a user and then impersonate them on the network.  
  • Preventing any direct communication between ports.  This is often done as a security measure to prevent leakage of any information between users of the network.  This can be done due to privacy concerns or security compartmentalization.

Private VLANs are built on several concepts.

  • Private Ports/Isolated Ports - The private ports can only communicate to the uplink or promiscuous ports and are prevented from communicating with other private ports.
  • Promiscuous/Privileged ports - These ports are allowed to communicate with any ports and are typically the uplink ports.

 

Within the Tellabs system, when private VLAN is enabled, PON ports are always considered to be isolated ports and the uplink is always considered to be a promiscuous or privileged port.

A private VLAN is a bridge type that is assigned to a VLAN within the VLAN Properties table.  Once a Private VLAN is configured on a VLAN as a bridge type, user isolation will be enforced on that VLAN.

Private VLAN does support all other features of N:N VLANs, such as NAC, ACLs, 802.1x, MAB, etc.

Applications for Private VLANs

Common uses of Private VLANs:

  • Isolating users on Guest networks to prevent any snooping of another guest’s traffic.
  • Isolating users in Secure networks to prevent direct communications.
  • Preventing Layer 2 spoofing. 

Creating Private VLANs

Private VLANs are created by setting the Bridge Type to Private VLAN on the VLAN Table entry.

For SR30 and above, this is found on the Switching View->VLAN Properties Tab.

For releases prior to SR30 this is found on the Links Tab->Uplinks->VLAN Properties button.

 

This is the only configuration required as the PON ports will be defaulted to Isolated for that VLAN and the Uplink ports are already defaulted to Promiscuous for that VLAN.

Video

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image