Configuring private vlans on Cisco switches

Rate this post



Private VLANs are used to provide layer 2 isolation between members of the same broadcast domain. Private VLANs are documented in RFC 5517. In a standard VLAN environment traffic between members of the same VLAN can flow without restrictions. We can think of private VLANs like a segmentation of a normal VLAN in multiple subdomains. This feature is available only on layer 3 Catalyst 3560s and higher switches. Private VLANs can be used to address two issues found in service provider networks. First using normal VLANs an ISP must assign one VLAN per customer and thus a scalability problem would arise if the ISP needs to support more than 4094 clients which is the maximum number of supported VLANs by a device. Secondly when using IP routing each VLAN requires a separate subnet, which can lead to IP address management problems by wasting unused IP addresses.

Private VLAN concepts

Before starting to configure private VLANs lets define some terms and explain them. Based on the definition above a private VLAN can be viewed as a pair between a primary VLAN and a secondary VLAN. Primary VLANs are in fact the standard VLANs we use in most environments. Each primary VLAN can be associated with multiple secondary VLANs. All VLAN pairs in a private VLAN share the same primary VLAN. Secondary VLANs are not visible to the outside world or between them. They are differentiated by VLAN ID and can be divided into types:

  • Community VLANs – Any ports within a community VLAN can communicate with each other and the primary VLAN but cannot communicate with ports in other secondary VLANs at the layer 2 level.
  • Isolated VLANs – Any ports within an isolated VLAN cannot communicate with each other at the layer 2 level but can reach the primary VLAN.

Private VLAN ports are access ports and can be classified in the following types:

  • Promiscuous – A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN and usually connects to a router.
  • Community – A community port is an host port that belongs to a community secondary VLAN. Community ports can communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.
  • Isolated – An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

Note! If the switch you want to configure supports only VTP version 1 and 2 you need to configure the switch to be in VTP transparent mode before you can create any PVLANs. In this case private VLANs are only locally significant to a switch and cannot be propagated using VTP. Each of the private VLANs must be configured locally on each switch that interconnects them. If you’re using VTP version 3 private VLANs can be created in any VTP mode and be propagated to neighbour switches.

Private VLAN ports can exist on different switches if the devices are connected using trunk links and the primary and secondary VLANs have not been removed from the trunk.

Private VLAN configuration

Let’s put in practice what we have discussed so far. For the demonstration I’ll use the following diagram. I have defined 3 secondary VLANs:

  • VLAN 112 – community VLAN belonging to Customer A (PC1 and PC2)
  • VLAN 134 – community VLAN belonging to Customer B (PC3 and PC4)
  • VLAN 156 – isolated VLAN belonging to Customer C (PC5 and PC6)

VLAN 100 will be used as the primary VLAN and hosts PC1 through PC6 will be used to test the configuration. Port Gi0/1 on SW2 will be used as a promiscuous port. I’ll use subnet for the primary VLAN.

Private VLANs

Assuming we are still using VTP version 1 or 2 first we need to change the VTP mode to transparent on both switches SW1 and SW2.

SW1(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.

SW2(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.

Next step is to create the secondary VLANs on both switches SW1 and SW2.

SW1(config)# vlan 112
SW1(config-vlan)# private-vlan community
SW1(config-vlan)# vlan 134
SW1(config-vlan)# private-vlan community
SW1(config-vlan)# vlan 156
SW1(config-vlan)# private-vlan isolated

Here I defined vlan 112 and 134 as community VLANs and vlan 156 as isolated VLAN. Apply this step on switch SW2 also.

Now define the primary VLAN that will provide the underlying private VLAN connectivity using the following configuration commands:

SW1(config)# vlan 100
SW1(config-vlan)# private-vlan primary
SW1(config-vlan)# private-vlan association 112,134,156

After defining the primary VLAN you need to associate it with the secondary VLANs using the association keyword. If the primary VLAN already has been configured, you can add (add) or remove (remove) secondary VLAN associations individually.

Associate ports with the private VLANs

Looking at the above diagram we need to configure ports Gi0/1, Gi0/3, Gi1/1, Gi1/2 on SW1 and ports Gi0/2, Gi1/0 on SW2 as private VLAN host ports. This can be achieved by running the command switchport private-vlan mode host for each interface specified above.

SW1(config)# interface range Gi0/1, Gi0/3, Gi1/1, Gi1/2
SW1(config-if)# switchport mode private-vlan host
SW2(config)# interface Gi0/2, Gi1/0
SW2(config-if)# switchport mode private-vlan host

Next we need to define the private-VLAN association for host ports by using the switchport private-vlan host-association command for each interface.

SW1(config)# interface Gi0/1
SW1(config-if)# switchport private-vlan host-association 100 112
SW1(config)# interface Gi0/3
SW1(config-if)# switchport private-vlan host-association 100 134
SW1(config)# interface Gi1/1
SW1(config-if)# switchport private-vlan host-association 100 156
SW2(config)# interface Gi1/2
SW1(config-if)# switchport private-vlan host-association 100 156
SW2(config)# interface Gi0/2
SW2(config-if)# switchport private-vlan host-association 100 112
SW2(config)# interface Gi1/0
SW2(config-if)# switchport private-vlan host-association 100 134

Since interface Gi0/1 on SW2 is connected to the outside gateway GW we need to setup this as a promiscuous port and then map it to primary and secondary VLANs. Use the following interface configuration commands.

SW2(config)# interface Gi0/1
SW2(config-if)# switchport mode private-vlan promiscuous
SW2(config-if)# switchport private-vlan mapping 100 112,134,156

Since the isolated and community host ports are connected to hosts (PC1 through PC6) we can enable PortFast on these ports using the spanning-tree portfast command. This helps prevent STP loops due to misconfigurations and speed up STP convergence.

SW1(config)# interface range Gi0/1, Gi0/3, Gi1/1, Gi1/2
SW1(config-if)# spanning-tree portfast
SW2(config)# interface Gi0/2, Gi1/0
SW2(config-if)# spanning-tree portfast

As with regular VLANs, private VLANs can span multiple switches. According to our diagram both Gi0/0 ports on switches SW1 and SW2 need to be configured as trunk ports in order to allow private VLAN communication across switches.

SW1(config)# interface Gi0/0
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW2(config)# interface Gi0/0
SW2(config-if)# switchport trunk encapsulation dot1q
SW2(config-if)# switchport mode trunk

Now that private VLAN configuration is complete lets proceed and check that everything works properly.

Monitoring and troubleshooting private VLANs

You can display information about configured private VLANs, including primary and secondary VLAN IDs, type and ports belonging to the private VLAN by using the following command:

SW1# show vlan private-vlan 

Primary    Secondary     Type                Ports
---------- ------------  ------------------- -----------------------------
100        112           community           Gi0/1
100        134           community           Gi0/3
100        156           isolated            Gi1/1, Gi1/2

Another useful command to view private VLAN status and configuration of a specific interface is show interfaces <interface-name> switchport.

SW1# show interfaces Gi0/1 switchport 
Name: Gi0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: private-vlan host
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 100 (VLAN0100) 112 (VLAN0112) 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: 
  100 (VLAN0100) 112 (VLAN0112) 
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Appliance trust: none

In the above output I have highlighted in red private VLAN related information and you can observe that port Gi0/1 is a private VLAN host port which belongs to secondary VLAN 112. Now to test this let’s go to the console of the hosts PC1 through PC6 and run some ping tests. First let’s test communication between PC1 and PC2 which are members of the same community VLAN 112.

PC1> ping -c 1
84 bytes from icmp_seq=1 ttl=64 time=0.782 ms

Next let’s try to ping from host PC1 to PC3.

PC1> ping -c 1 icmp_seq=1 timeout

As you can see host PC3 is not reachable from PC1 because is in a different community VLAN. Now we’ll test communication between host PC5 and PC6.

PC5> ping -c 1 icmp_seq=1 timeout

Again host PC6 is not reachable from PC5 because both host are in the isolated VLAN. One last test let’s check the reachability of the primary VLAN gateway from PC6.

PC6> ping -c 1
84 bytes from icmp_seq=1 ttl=64 time=0.471 ms


I hope this article has cleared the confusion about how private vlans work. Cisco also offers another feature called protected port or PVLAN Edge which has some similarities with private vlans but will be discussed in a separate article. For more information about private VLANs please check the official Cisco documentation available here.

One comment

  • Guan

    Hi, I had tested the isolated vlan in my environment, server in primary vlan able to ping the secondary isolated vlan server, but the secondary isolated vlan unable to ping the primary vlan server. Do you have any idea about this?
    vtp mode transparent
    vlan 123
    private-vlan primary
    private-vlan association 456
    vlan 456
    private-vlan isolated
    interface GigabitEthernet1/0/1
    switchport private-vlan mapping 123 456
    switchport mode private-vlan promiscuous
    spanning-tree portfast
    interface GigabitEthernet1/0/2
    switchport private-vlan host-association 123 456
    switchport mode private-vlan host
    spanning-tree portfast

Leave a Reply

Your email address will not be published.