How to configure Private VLAN

Private VLAN


The private VLAN always has one primary VLAN. Within the primary VLAN you will find the
promiscuous port. In my picture above you can see that there’s a router connected to a
promiscuous port. All other ports are able to communicate with the promiscuous port.
Within the primary VLAN you will encounter one or more secondary VLANs.There are two
types of secondary VLAN. They are 

    • Community VLAN: All ports within the community VLAN are able to communicate
       with each other and the promiscuous port.
    • Isolated VLAN: All ports within the isolated VLAN are unable to communicate with
       each other but they can communicate with the promiscuous port.

Private VLANs are only locally-significant to the switch - VTP will not pass this information to other switches.Each switch interface in a private VLAN assumes a specific role:

Promiscuous - communicates with the primary VLAN and all secondary VLANs. Gateway devices such as routers and switches should connect to promiscuous ports.
Host – communicates only with promiscuous ports, or ports within the local community VLAN. Host devices connect to host ports.PVLANs thus allow groups of host devices to be segmented within a VLAN,while still allowing those devices to reach external networks via a
promiscuous gateway.

NOTE : Private vlan is configured in VTP Transparent Mode

Private VLAN Configuration

The first step to configuring Private VLANs is to specify the secondary VLANs:

Switch(config)# vlan 100
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated

Next, the primary VLAN must be specified, and the secondary VLANs associated with it:

Switch(config)# vlan 50
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 100,101

Secondary VLANs 100 and 101 have been associated with the primary VLAN 50.Next, Host ports must be identified, and associated with a primary and secondary VLAN:

Switch(config)# interface range fa0/5 – 6
Switch(config-if)# switchport private-vlan host
Switch(config-if)# switchport private-vlan host-association 50 101

Interfaces fa0/5 and fa0/6 have been identified as host ports, and associated with primary VLAN 50, and secondary VLAN 101.Finally, promiscuous ports must be identified, and associated with the primary VLAN and all secondary VLANs.

Switch(config)# interface range fa0/20
Switch(config-if)# switchport private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 50 100 101

Interface fa0/20 has been identified as a promiscuous port, and associated with primary VLAN 50, and secondary VLANs 100 and 101.

Show Commands

#show interfaces fastEthernet 0/20 switchport
#show vlan private-vlan
#show vlan private-vlan type

Points to Remember

    • Devices within a community VLAN can communicate with each other AND the
        promiscuous port.
    • Devices within an isolated VLAN cannot communicate with each other and can ONLY
        communicate with the promiscuous port.
    • The promiscuous port can communicate with any other port.
    • Secondary VLANs are unable to communicate with other secondary VLANs.
    • Private VLANs can be spanned across multiple switches if you use trunks.


1 comment: