Private VLAN (PVLAN) on Cisco Catalyst Switch

You have primary VLAN 500, community VLAN 501, Isolation VLAN 502… If all this (primary VLAN 500) had a layer 3 switch connection (promiscuous port)… would they be able to communicate through the Layer 3 switch?

Hi Jason,

That’s right. All that you need is an IP address that you can reach on the promiscuous port.



I have a question can a secondary vlan communicate with another regular vlan? in other words a vlan that isnt configured as a primary?


Could you provide a description of the trunking configuration for that second diagram (SwitchA and SwitchB)?


The secondary VLANs will only be able to communicate with the promiscious port, not with other VLANs. They are “trapped” in their primary VLAN.


I’ll add an example for this in a couple of days. I’ll post it here.

Hi Rene,

Let’s say we have a request to add a private vlan on an access switch. Access switch connects to core, core is connected to a firewall. In some cases, the SVI between the core and firewall are already configured as a normal vlan. If we add a primary vlan config under this interface (SVI) will it change it to a primary and a regular vlan? Is this possible? Or will it become a “primary” vlan for the secondary private vlan and loose its prior connfig? Whats the best method to implement a private vlan to an already existing access switch, that is connected in the same fashion I mentioned earlier without breaking anything? Assuming the SVI connected to the fireall is default gateway for hosts to the internet? I hope I correctly explained myself.


Hi Fabian,

When you configure a VLAN as the primary VLAN then it will be primary. It can’t be the primary and “regular” VLAN at the same time. When you want to migrate to a private VLAN…do it when nobody is around, it’s easy to break stuff :slight_smile:

Do you want to use private VLANs to prevent server-to-server traffic? If so, I would configure a new VLAN as the primary VLAN with some new secondary VLANs. Assign some unused switchports to it, see if it works. Configure the interface that connects to the firewall as the promiscuous port. When it works, you can assign the switchports from the servers in the “regular” VLAN to your new secondary VLAN.


Great thanks Rene, ended up using a VACL instead as it wouldn’t break anything and wouldn’t require a change control. I’m sure this will come up eventually though :slight_smile:


Hi Fabian,

That’s good to hear.

Protected ports, VACLs and PACLs are great alternatives since they don’t require as much changes as private VLANs.


19 posts were merged into an existing topic: Private VLAN (PVLAN) on Cisco Catalyst Switch

do we have to run (switchport access vlan ##) on community or isolated ports?

Hi Ahmed,

This is not needed, the mapping is done with the private VLAN commands.


Hi Renee ,

i am currently using a cisco 3750 switch for private vlans and i have configured vlan 100 (primary) 101 (isolated) and 102 (community) and also vlan 200 (primary) 201 (isolated) and 202 (community) and assigned these to the relevant ports however i am trying to use int fa1/0/24 as a promiscuous port however when using the show vlan private-vlan command i get the below ;

primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     101       isolated          Fa1/0/1, Fa1/0/2
100     102       community         Fa1/0/5
200     201       community         Fa1/0/3, Fa1/0/24
200     202       isolated          Fa1/0/6, Fa1/0/24

why is the promiscuous port only mapped to the primary and secondary vlan 200 and not the primary and secondary vlan 100 ?

thanks for your detailed and well explained article above as it has helped me however my only concern is the above question thanks.

I believe your issue is that you are trying to have a single physical port be part of more than one primary VLAN. Cisco says this is not allowed. When you configured 1/0/24 as part of the 200 primary vlan, it lost its ability to be associated with your secondary vlans associated with VLAN 100.

To test this theory, simple reverse the order in which you enter the config, so that you start with the 200 vlans, then do the 100s. The end result should be the opposite.

Here is a Cisco article that talks about this, and the most relevant parts are:
A promiscuous port can serve only one primary VLAN and multiple secondary VLANs (community and isolated VLANs).

You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN

hi Andrew,

thanks for your prompt reply, that clears things up. i assumed we should be able to trunk more than 1 primary vlan over the promiscuous port due to beimg able to use 802.1q looks like a mistook this for normal vlan trunking.

Hlw Rene,

Great,clear and concise ! One questions…
What is the objective of Private Vlan and which network scenario will we use private vlan ?? Many Thanks


An example of when private vlans might be used would be in a shared hosted environment, where multiple customers are using the same address space, but they should not be allowed to communicate directly with each other. In this case, the provider’s gateway would be set as the primary/promiscuous port, and the customers would be set either as community or isolated depending on the customers’ needs.

Wikipedia has section that talks about use cases for private vlans here:

Hello Rene/ Andrew, how do you configure private VLANs in GNS3? Tried to forge a router, which allows VLAN creation but not private VLAN. Which specific IOS image?

Hi Rene/ Andrew, I tried to emulate this in GNS3 router as a switch but does not let me create private VLAN. Is there any specific IOS for the purpose or I am missing something?

Unfortunately, Private-VLANs is one of those topics that is not supported either on GNS3 or VIRL I believe. In this case, you will either need to get your hands on real gear, or do a rack rental via INE or IPExpert.