Ping Labz

Private VLANs on Cisco Catalyst Switches: Isolated and Community Ports

Private VLANs let you enforce micro-segmentation within a single VLAN—isolating hosts completely or grouping them into communities while keeping them behind a single gateway IP.

The Micro-Segmentation Problem

You have 50 servers in a hosted environment, all on the same VLAN, all reaching the same gateway. But you don't want them talking to each other—only to the firewall or router. Standard VLAN access lists would work, but they're CPU-intensive and complex at scale. Private VLANs solve this in hardware, at wire speed, by dividing a primary VLAN into isolated and community secondary VLANs.

Private VLAN Fundamentals

Private VLANs (PVLANs) subdivide a primary VLAN into secondary VLANs, each with specific communication rules:

  • Primary VLAN: The parent VLAN. In our design, VLAN 100 is the primary.
  • Isolated Secondary VLAN: Hosts here cannot talk to each other. Only upstream to promiscuous ports.
  • Community Secondary VLAN: Hosts within the community can talk to each other, but not to other communities or isolated hosts.
  • Promiscuous Port: Connected to a router, firewall, or gateway. Sees all traffic in the primary VLAN and can reach any secondary.

The real power: all these secondary VLANs route through a single gateway IP on the primary VLAN. The network hardware prevents inter-host communication, not VLAN isolation.

Configuration on DIST-SW1

We'll create a PVLAN set with VLAN 100 as the primary, VLAN 101 as isolated secondary, and VLAN 102 as community secondary. We'll assign ports accordingly and verify the setup works.

Step 1: Define the Primary VLAN

DIST-SW1# configure terminal
DIST-SW1(config)# vlan 100
DIST-SW1(config-vlan)# private-vlan primary
DIST-SW1(config-vlan)# exit

This marks VLAN 100 as a private VLAN primary. In the VLAN database, the PVLAN type is now "primary."

Step 2: Define the Secondary VLANs

DIST-SW1(config)# vlan 101
DIST-SW1(config-vlan)# private-vlan isolated
DIST-SW1(config-vlan)# exit
DIST-SW1(config)# vlan 102
DIST-SW1(config-vlan)# private-vlan community
DIST-SW1(config-vlan)# exit

VLAN 101 is isolated secondary; VLAN 102 is community secondary. Neither can exist without a primary VLAN.

Step 3: Associate Secondary VLANs with the Primary

DIST-SW1(config)# vlan 100
DIST-SW1(config-vlan)# private-vlan association 101,102
DIST-SW1(config-vlan)# exit

This binds the secondary VLANs to the primary. Now the primary VLAN "knows" about them.

Step 4: Configure Isolated Ports

Ports Gi1/0/10 and Gi1/0/11 will be isolated hosts (e.g., customer servers that should never communicate with each other):

DIST-SW1(config)# interface GigabitEthernet1/0/10
DIST-SW1(config-if)# switchport mode private-vlan host
DIST-SW1(config-if)# switchport private-vlan host-association 100 101
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit
DIST-SW1(config)# interface GigabitEthernet1/0/11
DIST-SW1(config-if)# switchport mode private-vlan host
DIST-SW1(config-if)# switchport private-vlan host-association 100 101
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit

switchport private-vlan host-association <primary> <secondary> ties the port to the primary and its secondary VLAN.

Step 5: Configure Community Ports

Ports Gi1/0/12 and Gi1/0/13 are community hosts (e.g., web servers in the same customer tier):

DIST-SW1(config)# interface GigabitEthernet1/0/12
DIST-SW1(config-if)# switchport mode private-vlan host
DIST-SW1(config-if)# switchport private-vlan host-association 100 102
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit
DIST-SW1(config)# interface GigabitEthernet1/0/13
DIST-SW1(config-if)# switchport mode private-vlan host
DIST-SW1(config-if)# switchport private-vlan host-association 100 102
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit

Step 6: Configure the Promiscuous Port

Port Gi1/0/1 (to the router or firewall) must be able to see all secondary VLANs:

DIST-SW1(config)# interface GigabitEthernet1/0/1
DIST-SW1(config-if)# switchport mode private-vlan promiscuous
DIST-SW1(config-if)# switchport private-vlan mapping 100 101,102
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit
DIST-SW1(config)# end

The switchport private-vlan mapping 100 101,102 command tells the port it's in the primary VLAN and can reach secondary VLANs 101 and 102.

Full Configuration Block for DIST-SW1

For reference, here's the entire PVLAN config in sequence:

vlan 100
 private-vlan primary
 private-vlan association 101,102
!
vlan 101
 private-vlan isolated
!
vlan 102
 private-vlan community
!
interface GigabitEthernet1/0/1
 switchport mode private-vlan promiscuous
 switchport private-vlan mapping 100 101,102
!
interface GigabitEthernet1/0/10
 switchport mode private-vlan host
 switchport private-vlan host-association 100 101
!
interface GigabitEthernet1/0/11
 switchport mode private-vlan host
 switchport private-vlan host-association 100 101
!
interface GigabitEthernet1/0/12
 switchport mode private-vlan host
 switchport private-vlan host-association 100 102
!
interface GigabitEthernet1/0/13
 switchport mode private-vlan host
 switchport private-vlan host-association 100 102
!

Verification

Show VLAN Private-VLAN Status

DIST-SW1# show vlan private-vlan
Primary Secondary Type              Ports
------- --------- -------- ----------------------------------------
100     101       isolated Gi1/0/10, Gi1/0/11
100     102       community Gi1/0/12, Gi1/0/13

DIST-SW1# show vlan private-vlan type
VLAN Type
---- ----
100  primary
101  isolated
102  community

Show Port PVLAN Association

DIST-SW1# show interfaces GigabitEthernet1/0/10 private-vlan
GigabitEthernet1/0/10 is a private-vlan host port
Private VLAN Association:
  Primary VLAN:   100
  Secondary VLAN: 101
  Mode:           Isolated

DIST-SW1# show interfaces GigabitEthernet1/0/1 private-vlan
GigabitEthernet1/0/1 is a private-vlan promiscuous port
Private VLAN Association:
  Primary VLAN:  100
  Secondary VLANs: 101, 102

Show VLAN Detail

DIST-SW1# show vlan id 100
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
100  VLAN0100                         active    Gi1/0/1(trunk)

PVLAN Type: Primary
PVLAN Association: 101, 102

Troubleshooting

Symptom: Host in Isolated VLAN Cannot Ping Upstream Router

Cause: Promiscuous port not in the correct PVLAN mapping. Fix: Verify the promiscuous port's mapping includes the isolated secondary VLAN:

DIST-SW1# show interfaces GigabitEthernet1/0/1 private-vlan
! If secondary VLANs are missing, reconfigure:
DIST-SW1(config)# interface GigabitEthernet1/0/1
DIST-SW1(config-if)# no switchport private-vlan mapping
DIST-SW1(config-if)# switchport private-vlan mapping 100 101,102

Symptom: Community Hosts on VLAN 102 Cannot Ping Each Other

Cause: Ports are misconfigured as isolated rather than community. Fix: Check port types:

DIST-SW1# show interfaces GigabitEthernet1/0/12 private-vlan
! Should show "Mode: Community". If isolated, reconfigure:
DIST-SW1(config)# interface GigabitEthernet1/0/12
DIST-SW1(config-if)# no switchport private-vlan host-association
DIST-SW1(config-if)# switchport private-vlan host-association 100 102

Symptom: Isolated Host (Gi1/0/10) Can Ping Another Isolated Host (Gi1/0/11)

Cause: Both ports are in the same community VLAN instead of isolated secondary. Fix: Verify the secondary VLAN association and ensure isolated hosts use the isolated secondary VLAN:

DIST-SW1# show vlan private-vlan
! Confirm Gi1/0/10 and Gi1/0/11 are listed under the isolated secondary.

Symptom: Port Shows "Suspended" in show vlan private-vlan

Cause: A secondary VLAN has no association to a primary VLAN, or the primary VLAN was deleted. Fix: Re-associate the secondary VLAN or restore the primary:

DIST-SW1(config)# vlan 100
DIST-SW1(config-vlan)# private-vlan association 101,102

Advanced Configuration: Trunk with PVLAN

PVLANs can traverse trunks if the secondary VLANs are allowed on the trunk. When trunking between switches:

DIST-SW1(config)# interface GigabitEthernet1/0/23
DIST-SW1(config-if)# switchport mode trunk
DIST-SW1(config-if)# switchport trunk allowed vlan 100,101,102
DIST-SW1(config-if)# end

The secondary VLANs must be explicitly allowed. The receiving switch needs identical PVLAN configuration.

Real-World Use Cases

Shared Hosting Provider: Each customer (or customer group) gets isolated ports under one primary VLAN. All traffic to the internet or shared services flows through a single promiscuous port (the gateway). No customer can ARP-scan or DDoS another customer on the same VLAN.

DMZ Design: Servers in a DMZ each need isolation from peer servers but must reach a firewall/gateway. PVLAN is more efficient than separate VLANs or security groups.

IP Phone Distribution: A community secondary VLAN can connect a group of phones to a cluster of voice gateways (promiscuous port), while isolating each phone from direct peer communication.

Key Takeaways

  • Private VLANs enforce micro-segmentation at Layer 2 without requiring separate IP subnets per segment or CPU-intensive ACLs.
  • Three port types exist: promiscuous (gateway), isolated (no peer-to-peer), and community (peer-to-peer within group).
  • Secondary VLANs must be associated with a primary VLAN using private-vlan association.
  • Verify with show vlan private-vlan and show interfaces <port> private-vlan to confirm port modes and associations.
  • Isolation is enforced in hardware, making PVLAN ideal for high-density, multi-tenant environments like hosting or cloud infrastructure.
Share Share Share Share Share Email

Read next

© 2025 Ping Labz. All rights reserved.