Private VLANs

VLANs are used for a variety of purposes in modern networks depending on the architecture goals. Since VLANs prevent cross talk between hosts in different VLANs without an intervening router, they are often used as a security feature to isolate hosts. If inter-VLAN communication is required, layer three devices like routers and multilayer switches often come with enhanced security feature sets that compliment the VLAN design. Another common use is based on the physical location of hosts – like in the example of separate VLANs per floor of an office building. Keeping physical drops in logical VLAN groupings helps to organize networks both physically and logically.

Cisco best practice dictates a single IP subnet per VLAN. The rule creates an inefficient use of IP addressing in situations where large numbers of VLANs are required, but each with a small number of hosts.

Multitenant offerings are a good example of this. Service providers can use a single switch and IP subnet for all customers in a building while maintaining traffic isolation between customers. In this situation, if every VLAN required only two hosts, a /30 VLAN would waste 50% of its IP address space to network and broadcast addresses. Private VLANs were created to resolve this inefficiency by using a single IP subnet across multiple VLANs while still maintaining traffic isolation boundaries.

Private VLANs work by breaking up a single primary VLAN into multiple non-overlapping secondary VLANs. The primary VLAN represents the set of secondary VLANs to the outside world, which can only see the primary VLAN. Each of the secondary VLANs share the same IP subnet as the primary VLAN, although each of them uses an individually assigned VLAN ID that is associated with the primary VLAN.

Secondary VLAN Types

Secondary VLANs can be one of two types: community or isolated. Ports assigned to the same community VLAN can only communicate only with other ports in the same community VLAN. This is the same behavior as we would expect in a normal VLAN. Many community VLANs can be created and associated to the same primary VLAN. This isolates hosts in different community VLANs, while allowing devices in the same group to communicate.

Alternatively, hosts assigned to isolated ports are not able to communicate with other isolated or community ports. Only a single isolated VLAN can be associated with a primary VLAN. This works because ports assigned to isolated VLANs cannot talk to any other ports; this allows multiple hosts to be assigned to the same isolated VLAN while maintaining traffic separation.

Finally, each secondary VLAN, either community or isolated, must be associated with a primary VLAN.

Private VLANs Basic Diagram

The diagram above shows a simple private VLAN design using two switches and a router. Notice that community VLAN 101 is extended across both switches. Trunking secondary VLANs across trunk links is supported by most Cisco switch platforms, including both community and isolated network types.

Promiscuous Ports

Since ports assigned to community VLANs can only communicate with other ports assigned to the same community VLAN and isolated VLANs cannot communicate with any ports, the question becomes how do hosts attached to private VLANs talk to the outside world?

Promiscuous ports solve that limitation. Promiscuous ports are special ports assigned to the primary VLAN that can communicate with any port in any secondary VLAN. This allows shared devices like routers, network printers, and network-attached storage to communicate with any secondary VLAN port. In the diagram above, the port on SW1 connected to the router is configured as a promiscuous port to allow external communication to and from the secondary VLAN devices. If there are multiple promiscuous ports configured within the same primary VLAN, they can also communicate with each other.

Since promiscuous ports act as an exit for secondary VLAN ports through a primary VLAN, you might think they carry both the primary and secondary VLAN information over trunk links. This isn’t the case however. Promiscuous ports are access ports assigned to the primary VLAN. They do not carry any VLAN tagging information.

Private VLAN Summary

  • Community ports can communicate with other ports in the same community VLAN and all promiscuous ports in the primary VLAN.
  • Isolated ports can only communicate to promiscuous ports in the associated primary VLAN.
  • Promiscuous ports (assigned to the primary VLAN) can communicate with all other promiscuous ports in the same primary VLAN as well as all secondary VLAN ports associated with the same primary VLAN.

Extending Private VLANs Between Switches

As we mentioned, it is entirely possible to extend private VLANs between switches and maintain the same traffic separation rules between promiscuous, community, and isolated ports. This requires that all of the primary and secondary VLAN information is configured identically on each switch however. This includes VLAN ID numbers, types, as well as the primary/secondary associations.

A trunk link between the switches is required to properly pass PVLAN information between the switches. Here’s how it works. When a frame is received on a community or isolated switch port, the switch forwards the frame through the trunk port tagged with the VLAN ID of the secondary VLAN. The receiving switch then processes the frame accordingly based on the rules around which type of secondary VLAN it is assigned to.

When a switch receives a frame on a promiscuous port, it forwards the frame through the trunk port tagged with the primary VLAN ID. The receiving switch forwards the packet with the same rules as if it were received on the local primary VLAN.

In short, to allow private VLANs to pass and be processed correctly between directly connected switches, configure identical primary/secondary VLAN information and attributes on all connected switches and verify that the primary/secondary VLANs are allowed and forwarding on the connecting trunk ports.

Configuring Private VLANS

Private VLANs can only be configured in VTP transparent mode.

In this example we will configure two community secondary VLANs (101 and 102) and one isolated secondary VLAN (999). The primary VLAN 10 will then be created to associate the secondary VLAN ports to.

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 999
SW1(config-vlan)#name Quarantine
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#vlan 101
SW1(config-vlan)#name Customer1
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 102
SW1(config-vlan)#name Customer2
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#vlan 10
SW1(config-vlan)#name Gateway
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association 101-102,999

The show vlan private-vlan command is helpful for displaying private VLAN details, including type and association information. Since the private VLANs were just created, no access ports have assigned to them.

SW1#show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
10 101 community
10 102 community
10 999 isolated

Now we need to add the secondary VLANs to individual interfaces.

  • FastEthernet 1/0/19-20 are assigned to community VLAN 101.
  • FastEthernet 1/0/24-26 are assigned to community VLAN 102.
  • FastEthernet 1/0/22-23 are assigned to isolated VLAN 999.
  • FastEthernet 1/0/30 is assigned to the primary VLAN 10 and is mapped to all of the secondary VLANs.

SW1(config)#interface range Fa1/0/19-20
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 10 101
SW1(config)#interface range Fa1/0/24-26
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 10 102
SW1(config)#interface range Fa1/0/22-23
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 10 999
SW1(config)#interface Fa1/0/30
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 10 101-102,999


Issue the show vlan private-vlan command to show the secondary VLAN interface assignments. Now we can see the the interfaces appropriately assigned. Notice that FastEthernet 1/0/30 is assigned to all three secondary VLANs in the output. Promiscuous ports assigned to the primary VLAN are associated with all secondary VLANs, which is why we see FastEthernet 1/0/30 in all three VLANs.

SW1#show vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
10 101 community Fa1/0/19, Fa1/0/20, Fa1/0/30
10 102 community Fa1/0/24, Fa1/0/25, Fa1/0/26, Fa1/0/30
10 999 isolated Fa1/0/22, Fa1/0/23, Fa1/0/30

Primary VLAN SVI Interface Configuration

If an SVI interface is required to route the private VLAN out of the local subnet, the private VLANs must also be mapped to the primary VLAN interface as shown below.

SW1(config)#interface vlan 10
SW1(config-if)#ip address
SW1(config-if)#private-vlan mapping 101-102,999

SVI Interface with Private VLANs

Author Aaron

Aaron knows networks. He's been involved in building and supporting world-class data networks for the past 10 years - from international cloud service providers to Fortune 50 data centers. Aaron consults independently and is focused on building the best training platform available.

More posts by Aaron

Leave a Reply