Private VLAN (PVLAN) on Cisco Catalyst Switch

In a previous tutorial I explained the protected port feature on Cisco Catalyst Switches. This time we will look at the private VLAN which I can best describe as protected ports on steroids. If you have no idea what a protected port or VLAN is, I highly recommend to read my previous tutorial first. Having said that, let’s get started with a nice topology picture:

Private VLAN Example

Many network students believe private VLANs are very complex when they see this for the first time. I’m going to break it down and explain to you how it works.
The private VLAN always has one primary VLAN. Within the primary VLAN you will find the promiscuous port. In my picture above you can see that there’s a router connected to a promiscuous port. All other ports are able to communicate with the promiscuous port. Within the primary VLAN you will encounter one or more secondary VLANs, there are two types:

  • Community VLAN: All ports within the community VLAN are able to communicate with each other and the promiscuous port.
  • Isolated VLAN: All ports within the isolated VLAN are unable to communicate with each other but they can communicate with the promiscuous port.

Isolated Island with House

 

The names for these secondary VLANs are well chosen if you ask me. In a community everyone is able to talk to each other. When you are isolated you can only talk to yourself or in case of our private VLANs…the promiscuous port.

 

Secondary VLANS can always communicate with the promiscuous port but they can never communicate with other secondary VLANs! Are you following me so far? If so…good! If you are still a little fuzzy, don’t worry. I’m going to show you the configuration and demonstrate to you how this works.

Configuration

First let me show you the topology that I will use for this demonstration:

private vlan configuration example topology

Let me sum up what we have here:

  • The primary VLAN has number 500.
  • The secondary community VLAN has number 501.
  • The secondary isolated VLAN has number 502.
  • I just made up these VLAN numbers; you can use whatever you like.
  • H1 and H2 in the community VLAN should be able to reach each other and also the server connected to the promiscuous port.
  • H3 and H4 in the isolated VLAN can only communicate with the server on the promiscuous port.
  • The server should be able to reach all ports.

Let’s get started!

SW1(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

Configuring private VLANs requires us to change the VTP mode to Transparent.

SW1(config)#vlan 501
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501

Let’s start with the configuration of the community VLAN. First I create VLAN 501 and tell the switch that this is a community VLAN by typing the private-vlan community command. Secondly I am creating VLAN 500 and configuring it as the primary VLAN with the private-vlan primary command. Last but not least I need to tell the switch that VLAN 501 is a secondary VLAN by using the private-vlan association command.

SW1(config)#interface range fa0/1 - 2
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 500 501

Interface fa0/1 and fa0/2 are connected to H1 and H2 and belong to the community VLAN 501. On the interface level I need to tell the switch that these are host ports by issuing the switchport mode private-vlan host command. I also have to use the switchport private-vlan host-association command to tell the switch that VLAN 500 is the primary VLAN and 501 is the secondary VLAN.

SW1(config)#interface fa0/24
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 501

This is how I configure the promiscuous port. First I have to tell the switch that fa0/24 is a promiscuous port by typing the switchport mode private-vlan promiscuous command. I also have to map the VLANs by using the switchport private-vlan mapping command. Here is the output for FastEthernet 0/1:

SW1#show interfaces fastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 500 (VLAN0500) 501 (VLAN0501)
Administrative private-vlan mapping: none

We can verify our configuration by looking at the switchport information. Interface fa0/2 has the same configuration as fa0/1.

SW1#show interface fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 500 (VLAN0500) 501 (VLAN0501)

Here is the switchport information for fa0/24 (our promiscuous port). You can see the mapping information.

SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- -----------------------------------------
-
500 501 community Fa0/1, Fa0/2, Fa0/24

The show vlan private-vlan command gives us valuable information. You can see that VLAN 500 is the primary VLAN and 501 is the secondary VLAN. It also tells us whether the
VLAN is a community or isolated VLAN the ports.

SW1#show vlan private-vlan type
Vlan Type
---- -----------------
500 primary
501 community

I also like the show vlan private-vlan type command because it gives us a quick overview of the private VLANs.

So what’s the result of this configuration?

If everything is OK we should now have a working community VLAN…let’s find out!

C:Documents and SettingsH1>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

H1 is able to reach H2.

C:Documents and SettingsH1>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time<1ms TTL=128

H1 can also reach the server behind the promiscuous port.

C:Documents and SettingsS1>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

The server is able to reach H2. Great! Our community VLAN seems to be up and running. Let’s continue with the configuration of the isolated VLAN.

SW1(config)#vlan 502
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 502

The configuration is the same as the community VLAN but this time I’m using the private vlan isolated command. Don’t forget to add the association between the primary and secondary VLAN using the private-vlan association add command. The private-vlan primary command is obsolete because I already did this before, I’m just showing it to keep the configuration complete.

SW1(config)#interface range fa0/3 - 4
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 500 502

This part is exactly the same as the configuration for the community VLAN but I’m configuring interface fa0/3 and fa0/4 which are connected to H3 and H4.

SW1(config)#interface fa0/24
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 502

I already configured fa0/24 as a promiscuous port but I’m showing it here as well to keep the configuration complete. I do need to create an additional mapping between VLAN 500 (primary) and VLAN 502 (secondary).

Let’s verify our work!

SW1#show interfaces fa0/3 switchport
Name: Fa0/3
Switchport: Enabled
Administrative Mode: private-vlan host
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: 500 (VLAN0500) 502 (VLAN0502)
Administrative private-vlan mapping: none

Looking good…we can see the host-association between VLAN 500 and 502.

SW1#show interfaces fastEthernet 0/4 switchport | include host-as
Administrative private-vlan host-association: 500 (VLAN0500) 502 (VLAN0502)

A quick look at fa0/4 shows me the same output as fa0/3.

SW1#show interfaces fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 500 (VLAN0500) 501 (VLAN0501) 502
(VLAN0502)

We can now see that VLAN 501 and VLAN 502 are mapped to primary VLAN 500.

SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- -----------------------------------------
-
500 501 community Fa0/1, Fa0/2, Fa0/24
500 502 isolated Fa0/3, Fa0/4, Fa0/24

Here’s a nice clean overview which shows us all the VLANs, the mappings and the interfaces.

SW1#show vlan private-vlan type
Vlan Type
---- -----------------
500 primary
501 community
502 isolated

Or if you only care about the VLAN numbers and the VLAN type this is what you need.

What will the result be of our hard labor?

C:\Documents and Settings\H3>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time<1ms TTL=128

H3 can reach the server behind the promiscuous port.

C:\Documents and Settings\H4>ping 192.168.1.254
Pinging 192.168.1.254 with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time<1ms TTL=128

H4 can also reach the server behind the promiscuous port.

C:\Documents and Settings\H3>ping 192.168.1.4
Pinging 192.168.1.4 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.4:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

There is no reachability between H3 and H4 because they are in the isolated VLAN.

What about reachability between VLAN 501 and VLAN 502? Let’s give it a try:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 654 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

535 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Fabian,

    When you configure a VLAN as the primary VLAN then it will be primary. It can’t be the primary and “regular” VLAN at the same time. When you want to migrate to a private VLAN…do it when nobody is around, it’s easy to break stuff :slight_smile:

    Do you want to use private VLANs to prevent server-to-server traffic? If so, I would configure a new VLAN as the primary VLAN with some new secondary VLANs. Assign some unused switchports to it, see if it works. Configure the interface that connects to the firewall as the promiscuous port. When it works, you can assign the s

    ... Continue reading in our forum

  2. do we have to run (switchport access vlan ##) on community or isolated ports?

  3. Hello Azm

    Yes, it is possible to configure multiple trunk ports as promiscuous ports for a single primary VLAN. You would configure this if you want to span a primary VLAN over three switches for example.

    Secondly, it is possible as well to configure a single trunk port as a promiscuous port for multiple primary VLANs. This again, would be the case if you have multiple primary VLANs that you want to span over more than one switch. Specifically, Cisco states:

    Multiple private VLAN pairs can be specified using the switchport private-vlan mapping trunk command

    ... Continue reading in our forum

  4. Hello Edi

    The configuration on the interfaces connecting SW1 and SW2 are configured as trunks that include VLANs 500 501 and 502. Although we are not told in Rene’s diagram which interface this connection is on, let’s assume that it’s Fa0/5. The configuration for these interfaces can be seen below:

    **Switch 1**

    interface fastethernet 0/5
     switchport mode trunk
     switchport trunk allowed vlans 500,501,502
    

    **Switch 2**

    interface fastethernet 0/5
     switchport mode trunk
     switchport trunk allowed vlans 500,501,502
    

    I hope this has been helpful!

    Laz

  5. Hello Laz,

    your answer is awesome and really easy to understand. Thanks a lot.

    Regards,

    Lukas

86 more replies! Ask a question or join the discussion by visiting our Community Forum