How to configure Private VLAN

Private VLAN

The private VLAN always has one primary VLAN. Within the primary VLAN you will find the

promiscuous port. In my picture above you can see that there’s a router connected to a

promiscuous port. All other ports are able to communicate with the promiscuous port.

Within the primary VLAN you will encounter one or more secondary VLANs.There are two

types of secondary VLAN. They are 

    • Community VLAN: All ports within the community VLAN are able to communicate

       with each other and the promiscuous port.

    • Isolated VLAN: All ports within the isolated VLAN are unable to communicate with

       each other but they can communicate with the promiscuous port.

Private VLANs are only locally-significant to the switch - VTP will not pass this information to other switches.Each switch interface in a private VLAN assumes a specific role:

Promiscuous - communicates with the primary VLAN and all secondary VLANs. Gateway devices such as routers and switches should connect to promiscuous ports.

Host – communicates only with promiscuous ports, or ports within the local community VLAN. Host devices connect to host ports.PVLANs thus allow groups of host devices to be segmented within a VLAN,while still allowing those devices to reach external networks via a

promiscuous gateway.

NOTE : Private vlan is configured in VTP Transparent Mode

Private VLAN Configuration

The first step to configuring Private VLANs is to specify the secondary VLANs:

Switch(config)# vlan 100

Switch(config-vlan)# private-vlan community

Switch(config)# vlan 101

Switch(config-vlan)# private-vlan isolated

Next, the primary VLAN must be specified, and the secondary VLANs associated with it:

Switch(config)# vlan 50

Switch(config-vlan)# private-vlan primary

Switch(config-vlan)# private-vlan association 100,101

Secondary VLANs 100 and 101 have been associated with the primary VLAN 50.Next, Host ports must be identified, and associated with a primary and secondary VLAN:

Switch(config)# interface range fa0/5 – 6

Switch(config-if)# switchport private-vlan host

Switch(config-if)# switchport private-vlan host-association 50 101

Interfaces fa0/5 and fa0/6 have been identified as host ports, and associated with primary VLAN 50, and secondary VLAN 101.Finally, promiscuous ports must be identified, and associated with the primary VLAN and all secondary VLANs.

Switch(config)# interface range fa0/20

Switch(config-if)# switchport private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 50 100 101

Interface fa0/20 has been identified as a promiscuous port, and associated with primary VLAN 50, and secondary VLANs 100 and 101.

Show Commands

#show interfaces fastEthernet 0/20 switchport

#show vlan private-vlan

#show vlan private-vlan type

Points to Remember

    • Devices within a community VLAN can communicate with each other AND the

        promiscuous port.

    • Devices within an isolated VLAN cannot communicate with each other and can ONLY

        communicate with the promiscuous port.

    • The promiscuous port can communicate with any other port.

    • Secondary VLANs are unable to communicate with other secondary VLANs.

    • Private VLANs can be spanned across multiple switches if you use trunks.

Related articles

• VLAN explained with Interview Questions
• VLAN Trunking Protocol (VTP) explained with Interview Questions
• How to Prepare for NETWORK ENGINEER INTERVIEW QUESTIONS
• How to Configure Protected Ports (Switching)