• Skip to main content
  • Skip to header right navigation
  • Skip to site footer

Roger Perkin

Network Automation Architect

  • Network Automation
    • Network Automation Courses
    • What is NetDevOps?
    • Workflow Orchestration
    • Ansible Automation Platform
    • Ansible Workshop
    • What is Network Automation?
    • Network Automation Tools
    • ContainerLab
    • Ansible Training
      • What is Ansible?
      • Ansible Tutorial for Beginners
      • Ansible Network Automation
      • Ansible Inventory Example
    • Python Network Automation
      • Nornir
      • Python Network Automation Course
      • Python for Network Engineers
      • Python VENV / Virtual Environment Tutorial
      • Python Tutorial for Beginners
      • pyATS
    • Network Source of Truth
      • NetBox
      • Infrahub
    • NetDevops
    • DevOps Tutorial
      • Git Training
      • Terraform Training
      • Linux Training
      • Kubernetes Training
      • Devops Training Course
      • Azure Devops Training
    • Terraform
    • GIT
      • Git Commands
      • What is GitHub?
    • Docker Training
    • Confluence
    • Microsoft Azure
  • Cisco
    • ISE
    • SD WAN Training
    • Password Recovery
    • Software-Upgrade-Guides
    • BGP
    • Data Center
    • WIRELESS
  • CCIE
  • Blog
  • About
    • My Red Special Guitar
  • Contact

Private Vlans Explained

Home » Cisco » switching

Introduction to Private Vlans

A normal Vlan is essentially a broadcast domain and all the devices if addressed on the same subnet can communicate with each other. In shared hosting environments, to save on IP address space and Vlans it would be great if you could isolate devices within the same vlan and prevent them from communicating with each other. If a server from company A was compromised you would not want it being able to talk to a server from company B within the same Vlan.

One solution to this problem is protected ports but this only works across a single switch, if you require device isolation within a vlan across multiple switches you are going to need to use a Private Vlan.

Private Vlans Explained

For the rest of this post I will be using the topology below.

private vlans explained

 

PRIVATE VLAN TERMS

There are three types of ports within private vlans, Promiscuous, Community and Isolated.

  • PROMISCUOUS – A promiscuous port is normally the way out of the network and all ports within the private vlan can talk to the promiscuous port on Layer 2.
  • COMMUNITY – A community port can talk to other community ports, the promiscuous port but not to an isolated port.
  • ISOLATED – An isolated port cannot talk to anything except the promiscuous port.

There are then two types of Vlan used to enable communication between the different private vlan types, a primary vlan and secondary vlan.

  • PRIMARY VLAN – This is the main vlan used to provide communication to the promiscuous port and to the isolated port
  • SECONDARY VLAN ISOLATED – This vlan carries the traffic from the Isolated ports to the promiscuous port – you only need one.
  • SECONDARY VLAN COMMUNITY – This vlan carries the traffic from the community Vlan to the promiscuous port, you can have multiple community vlans.

Private Vlan Configuration

Now you have an understanding of the basic terminology we are going to configure the private vlans defined in the diagram above.

We need to ensure there are two vlans configured on both switches.

We will make the promiscuous vlan 500, the community vlan 600 and the isolated vlan 999

First you need to ensure the switch is running in vtp transparent mode

SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW1(config)

SW2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW2(config)#

Next we need to define the vlan, as the switch is running in transparent mode we have to do this on both switches, we could have configured the vlans first while the switches were running vtp. You just need to ensure that the vlans you are using for private vlans exist on both switches and also any switches that may be in the transit path.

 

SW1(config)#vlan 500,600,999
SW1(config-vlan)#

SW2(config)#vlan 500,600,999
SW2(config-vlan)#

We now need to make vlan 500 the primary vlan – you can see from the ? the options available for configuring private vlans we will be exploring all of these.

SW1(config-vlan)#private-vlan ?
association  Configure association between private VLANs
community    Configure the VLAN as a community private VLAN
isolated     Configure the VLAN as an isolated private VLAN
primary      Configure the VLAN as a primary private VLAN

SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#

Next we will make vlan 600 a community vlan and vlan 999 and isolated vlan

SW1(config)#vlan 600
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan com
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#vlan 999
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan is
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#

We now need to associate the primary and secondary vlans together, this needs to be done on both switches.

SW1(config)#vlan 500
SW1(config-vlan)#pri
SW1(config-vlan)#private-vlan ass
SW1(config-vlan)#private-vlan association 600,999
SW1(config-vlan)#

SW2(config)#vlan 500
SW2(config-vlan)#pri
SW2(config-vlan)#private-vlan ass
SW2(config-vlan)#private-vlan association 600,999
SW2(config-vlan)#

Defining the host ports

Now the vlan configuration has been done we need to define the host ports with a switchport private vlan host association. Port Fa0/1 on SW1 connects to R1 and  Fa0/1 on SW2 connects to R2 these are going to be associated with the community vlan and the primary. The port will also be defined as a private-vlan host.

SW1(config)#int fa0/1
SW1(config-if)#description to R1
SW1(config-if)#switchport priv
SW1(config-if)#switchport private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 600
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#spanning-tree portfast

The same needs to be done on SW2

SW2(config)#int fa0/1
SW2(config-if)#description to R2
SW2(config-if)#switchport priv
SW2(config-if)#switchport private-vlan host
SW2(config-if)#switchport private-vlan host-association 500 600
SW2(config-if)#switchport mode private-vlan host
SW2(config-if)#spanning-tree portfa

Finally we need to do the same for R3 and R4 however for these routers they are going to associated with the Isolated Vlan which means they will not be able to talk to each other but only with the promiscuous port.

SW1(config)#int fa0/3
SW1(config-if)#description to R3
SW1(config-if)#switchport private-vlan host
SW1(config-if)#switchport private-vlan host-association 500 999
SW1(config-if)#spanning-tree portfast

The same again on SW2 for R4

SW1(config)#int fa0/4
SW2(config-if)#description to R4
SW2(config-if)#switchport private-vlan host
SW2(config-if)#switchport private-vlan host-association 500 999
SW2(config-if)#spanning-tree portfast

Verify the Private Vlan Configuration

To verify your work you can run the show vlan private-vlan command and show vlan private-vlan type.

SW1#sh vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     600       community         Fa0/1
500     999       isolated          Fa0/3

SW1#sh vlan private-vlan type

Vlan Type
---- -----------------
500  primary
600  community
999  isolated

For the complete information on private vlan configuration the full Cisco Documentation for the 3560 switch which is what I was working on can be found here: www.cisco.com/…configuration/guide/swpvlan.html

Category: switchingTag: CCIE, ccie blog, Cisco 3560
ansible course for network engineers
Get Access to my Ansible Course NOW
Previous Post:CCIE Lab Exam – Attempt#2 booked for London
Next Post:HSRP – First Hop Redunancy Protocols – Part 1

Sidebar

Hi I'm Roger Perkin,
Based in the UK working as a Network Automation Architect, CCIE #50038
About Roger | Twitter | Linkedin

python course for network engineers

Topics

Network Automation
Ansible
Python for Network Automation
CCIE
Cisco ISE
F5 Certification
BGP
OSPF
Network Automation Conferences
auvik promo banner
Pluralsight Trial

Git for Network Engineers

Ansible vs Nornir

Start learning today with my Network Automation Courses

Master Ansible, Python, Git, Nornir, Jenkins and more..


Buy me a coffeeBuy me a coffee

ansible network automation course

Have you seen my YouTube Channel?

YouTube Subscribe

Let’s get started

Take a look at my premium courses on Ansible, Nornir & Git or buy them all with the Network Automation Bundle!

Network Automation Courses

Navigation

Python VENV Tutorial
Python for Network Engineers

Network Automation
Network Automation Courses
Network Discovery Tools
Network Automation Conferences
Ansible Training
What is Ansible?
Devops Tutorial
Network Source of Truth
DevOps Glossary
Network Monitoring Software

Contact

Contact

Get in touch with me here

[email protected]

  • Twitter
  • LinkedIn
  • YouTube
Buy me a coffeeBuy me a coffee

Copyright © 2025 · Roger Perkin · All Rights Reserved · Privacy Policy – Terms