Private VLAN or PVLAN often used by Service Providers partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private or PVLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.
Promiscuous
A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated
An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community
Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
SW1
SW1#configure terminal
SW1(config)#
SW1(config)#interface vlan 10
SW1(config-if)#private-vlan primary
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface vlan 11
SW1(config-if)#private-vlan community
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface vlan 12
SW1(config-if)#private-vlan isolated
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface vlan 13
SW1(config-if)#private-vlan community
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface vlan 14
SW1(config-if)#private-vlan community
SW1(config-if)#exit
SW1(config)#
New we can start associating the VLAN’s. Lets start off with the private list first.
SW1(config)#interface vlan 10
SW1(config-if)#private-vlan association add 11-14
SW1(config-if)#exit
SW1(config)#
Lets continue with the promiscuous list of VLAN’s.
SW1(config)#interface f0/1
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 10 add 11-14
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface vlan f0/2
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 11
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface f0/3
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 12
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface f0/4
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 13
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface f0/5
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 13
SW1(config-if)#exit
SW1(config)#
SW1(config)#interface f0/6
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 14
SW1(config-if)#exit
SW1(config)#exit
SW1#
I hope you found this post on PVLANS helpful and informative. Be sure to let me know what you think by leaving suggestions, and feedback in the comments section below. You can find out more about these and other articles be checking out recent posts and archives. To learn more about me be sure to check out the About page. And as always thanks again for visiting The Packet.
