Private Vlans

Quick post on how to configure Private Vlans on a switch


In private VLANs we pair a primary VLAN with a secondary VLAN. Primary VLANs are the normal ordinary VLANs and secondary VLANs use the same VLAN ID range and are defined in the same manner as primary VLANs, but they operate as secondary VLANs in one of two modes:

•Isolated – Hosts in this vlan cannot communicate with each other or with hosts ports in any other private VLANs.

•Community – Hosts in this vlan attached to community ports can communicate with each other , but not with hosts ports in other private VLANs.

An access port assigned to a private VLAN operates in one of two modes:

•Host – The port inherits its behavior from the type of private VLAN it is assigned to.

•Promiscuous – The port can communicate with any other private VLAN port in the same primary VLAN.

Private_Vlan_Switch#conf t
Private_Vlan_Switch(config)#vtp mode transparent
Private_Vlan_Switch(config)#vlan 200
Private_Vlan_Switch(config-vlan)#private-vlan primary

Private_Vlan_Switch(config)#vlan 205
Private_Vlan_Switch(config-vlan)#private-vlan community

Private_Vlan_Switch(config)#vlan 210
Private_Vlan_Switch(config-vlan)#private-vlan isolated

Private_Vlan_Switch(config)#vlan 200
Private_Vlan_Switch(config-vlan)#private vlan association 205,210

Private_Vlan_Switch(config)#int fa0/1
Private_Vlan_Switch(config-if)#switchport mode private-vlan host
Private_Vlan_Switch(config-if)#switport private-vlan host association 200 205

Private_Vlan_Switch(config)#int fa2/0
Private_Vlan_Switch(config-if)#switchport mode private-vlan host
Private_Vlan_Switch(config-if)#switport private-vlan host association 200 205

Private_Vlan_Switch(config)#int fa3/0
Private_Vlan_Switch(config-if)#switchport mode private-vlan host
Private_Vlan_Switch(config-if)#switchport private-vlan host association 200 210

Private_Vlan_Switch(config)#int fa0/0
Private_Vlan_Switch(config-if)#switchport mode private-vlan promiscuous
Private_Vlan_Switch(config-if)#switchport private-vlan mapping 200 205,210

Private_Vlan_Switch#show vlan private-vlan

Just found this post on INE webpage made by Petr Lapukhov where after you’ve read and labbed it you cant go wrong with Private Vlans cause in the end the concept is really simple and logical.

Enjoy !


About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

4 Responses to Private Vlans

  1. shadab says:

    good post,but where can we use this private vlan in real time.

    • ccie4all says:

      I can see ISPs using private vlans if they had a limited number of subnets and that when logically they would assign all of the customers in a single geographic area into the same IP subnet.
      It does however open a potential security issue as companies would not want other companies to see their layer 2 traffic.
      Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN that way their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

      Or another example would be if some company existed in the same geographic area and had multiple offices with multiple Internet connections. Then the idea would be to connect all of these internet connections with community VLANs so that each would be able to talk directly to each other and go out and utilize the same Internet connection.

      I guess private vlans is a great concept for ISP network engineers and not other typical world wide companies but then again it all depends on requirements , one thing’s for sure , chances you won’t get it in your R&S CCIE lab while configuring your Layer 2 tasks are very slim 🙂

  2. Raul says:

    Another use os private lans is for guest users. Can access to internet (promiscuous mode) but can’t access to any other resource, or any other guest user (isolated mode)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: