Private VLAN (PVLAN) on Cisco Catalyst Switch

Hello Dominique

Yes, that is indeed the case. Private VLANs can become more involved and may go beyond what is required for certification.

I believe a better description of promiscuous trunks can be found in this documentation. It explains standard trunks and compares and contrasts them with private VLAN trunks, including the promiscuous trunk and how they are used and configured.

I hope this has been helpful!


hi Rene and staff,
i am yet studying private-vlan as it seems not obvious for me
I lab my own topology with real 3750 and real PCs like below

PC1 can not ping PC2, because PC1 belong to secondary community 152 and PC2 belong to secondary community 153 as the port are in mode private-vlan host

From this topology my question is (just for investigating and understanding the concept of private-vlan): is it possible to add a configuration in which PC1 can ping PC2 with a L3 routing.
The GW of the PCs are inoperant because the PCs are in the same subnet
PC1’s GW is SVI 150 on SW-UP with IP
PC2’s GW is SVI 150 on SW-DOWN with IP
So “private-vlan mapping” in sub command interface vlan 150 is inoperant

The case could be: all PCs plugged in SW-UP belong to 150/152 to prevent to communicate with PCs plugged in SW-DOWN as they are in community 150/153 (as a basic use of community) But we have to make one execption between PC1 et PC2
I hope you will understand my question

Hello Dominique

This is an excellent question as it helps to clarify the role and functionality of private VLANs. So if you have two community VLANs within the same primary VLAN, and all devices are in the same subnet, there is no way to create an exception for communication between PCs in one community VLAN to PCs in another. That is the purpose of creating these types of VLANs in the first place. If you would like to have such a configuration, you would use another mechanism such as ACLs and you wouldn’t use private VLANs.

The only way to make something like this work is to have a device connected to the promiscuous port that does hairpin routing, that is, routing from one IP to another in the same subnet. In general, this is not good practice to implement, so to answer your question conclusively, no this is not something that can/should be done.

I hope this has been helpful!


Hi Rene, staff and students,
well, …for me, private-vlan is not a concept as obvious as it seems
may i add some memo about private-vlan and could you agree or not ?

The main point to well understand is promiscuous ports
In my opinion, i noticed two cases for promiscuous ports:

First case

In this case, there is one single IP subnet; the device plugged in the promiscuous port is a server or a router and the promiscuous port is used only to make communication between each secondary and the server or each secondary and the outside of vlan via the router
In this case the promiscuous port works “like access port”
The configuration is

S1(config)#int f0/1
S1(config-if)#switchport mode private-vlan promiscuous
S1(config-if)#switchport private-vlan mapping 100 101-102

You can set only a single primary vlan in the mapping (this is like access/edge port). In this case, secondary vlans are isolated at L2 and they cant communicate (never)

Second case

In this case, there are more than one IP subnet; the device plugged in the promiscuous port is a router and the promiscuous port is used to make communication between each secondary and outside of vlans, but we want also to make inter primary vlan routing at L3

In this case the promiscuous port works “like trunk port”
The configuration is

S1(config)#int f0/1
S1(config-if)#switchport mode private-vlan trunk promiscuous
S1(config-if)#switchport private-vlan mapping trunk 100 101-102
S1(config-if)#switchport private-vlan mapping trunk 150 151-152

In contrary with case 1, you can set many primary vlan in the mapping (this is like trunk). In this case, secondary vlans are isolated at L2, but they can communicate via L3 routing
Infortunatly, you cant lab case 2 with 3750 but only with a few SW like 4500 (?)

I hope you will agree this memo, but if not, thank you for your answer that will help me (and perhaps others) to understand private-vlan concepts
Best regards

Hello Dominique

Yes, you are absolutely correct. You have explained it very clearly, and I believe that this is a wonderful addition to the forum and to the lesson material.

As for the promiscuous trunk ports, yes, only 4500, 6500, 6800 series (and higher) support them.

Once again, wonderful explanation!



whats the difference between the two commands?

SW1(config-if)#switchport private-vlan association host 500 501
SW1(config-if)#switchport private-vlan host-association 500 501

What does this mapping command? Does it mean that the traffic for the private VLANs will be redirected to the primary vlan?

interface FastEthernet0/24
 switchport private-vlan mapping 500 501-502
 switchport mode private-vlan promiscuous

Does that mean that the SVI is also receving the private VLAN tagged packets from the hosts? Will the SVI use the primary or secondary VLAN in the dot1q header to answer to the host?

interface Vlan500
 ip address
 private-vlan mapping 501,502

Thanks a lot.



Hello Lukas

You’ll find that both commands do exactly the same thing. If you implement one and then the other and examine the results, you’ll find that the result is the same. Take a look at this context sensitive help:

SW(config-if-range)#sw private-vlan association host ?
  <1006-4094>  Primary extended range VLAN ID of the private VLAN host port
  <2-1001>     Primary normal range VLAN ID of the private VLAN port

SW(config-if)#switchport private-vlan host-association ?
  <1006-4094>  Primary extended range VLAN ID of the private VLAN host port
  <2-1001>     Primary normal range VLAN ID of the private VLAN port

I don’t know why Cisco has done this, but it could be that on some platforms only one of the two commands is available.

The mapping command tells the promiscuous port which VLANs are accessible via the promiscuous port. The first VLAN ID must be that of the primary VLAN, which is indeed 500, and the rest are the secondary VLANs, which can either be community or isolated VLANs. This means that FastEthernet 0/24 will be able to communicate with hosts in the community VLAN 501. Traffic will not be redirected, but will simply be accessible.

The configuration of the SVI is used if you want to have the SVI of the private VLAN function as a gateway. If this is the case, then you have to map the community and the isolated VLANs of the private VLAN to the interface so they can have access to the SVI interface, and in turn, the outside world. The configuration here simply indicates that both community and isolated VLANs have access to the specific SVI. Because hosts in VLANs 500, 501 and 502 are all in the same subnet, and thus in the same primary VLAN, no tagging takes place here. Tagging will only take place on a trunk port where the primary VLAN shares the trunk with other VLANs.

I hope this has been helpful!


1 Like

Hello Laz,

your answer is awesome and really easy to understand. Thanks a lot.



1 Like

I was wondering about the promiscuous port. Does it need to be connected to the same switch as a secondary vlan port? The impression that I got was an isolated port can only communicate with a promiscuous port. If the promiscuous port is on another switch how can it even travel through a trunk port?

Hello Justin

Private VLANs are able to span multiple switches. As a result, it is possible to have a promiscuous port of a private VLAN on one switch that corresponds to several ports (assigned to community and isolated VLANs) that exist on another switch. In order to achieve this, you will have to create a trunk between the two switches in question that will carry the primary VLAN, the secondary isolated VLAN and the secondary community VLAN. Although this is not found in the lesson, you can find out more about how this can be achieved at this Cisco documentation.

I hope this has been helpful!


1 Like

If one PC from one community vlan400 cannot communicate to another community vlan 500,then it can communicate through promiscuous port of router…How to stop that?How to configure proxy acl on router?

Hello Sarang

If you have a setup similar to that which you describe above, and if you don’t want a particular PC to communicate with some specific subnet, or even a specific device, then the solution to such a problem is to create an ACL on the router that is routing the traffic. You can specify source and/or destination IP in order to specify the particular traffic you want to filter. This application doesn’t have to do with PVLANs, but with the traffic that is (or is not) allowed to cross the router.

I hope this has been helpful!


  1. My book says: All secondary VLANs must be associated with one primary VLAN to set up the unidirectional relationship. Could you please explain this unidirectional relationship? Why unidirectional?

  2. Should I assign the ports which are the member of secondary VLANs (host port) or primary VLAN (promiscuous port) to an access VLAN like in the example below or access VLANs are not relevant to PVLANs, so switchport mode access and switchport access vlan 10 commands do not have any effect?

vlan 10
private-vlan isolated

vlan 20
private-vlan primary
private-vlan association 10

interface fa0/1
switchport mode access
switchport access vlan 10
switchport mode private-vlan host
switchport private-vlan host-association 20 10


Hello Fatih

When the term “unidirectional relationship” is used, it is referring to the way in which hosts within secondary private VLANs are capable of communicating with other hosts in the same secondary VLAN (in the case of a community private VLAN), as well as with host in the primary VLAN, but not with hosts in other secondary VLANs. The unidirectional nature just refers to the way in which traffic can freely flow from the primary towards all secondary VLANs (one direction) but not from a secondary VLAN to other secondary VLAN (the other direction). I believe it is a misleading use of the term. Wherever you see “unidirectional VLANs” simply think “secondary VLANs”.

If you apply the configuration you have posted, then the “switchport access vlan 10” command is ignored. From the moment that the switchport mode private-vlan host has been applied, only the switchport private-vlan host-association 20 10 command will be applied.

I hope this has been helpful!


Hi Sir,
Big fan of your teaching style … It made my life much easier - big time :slight_smile:

I think, Private VLAN part should be taught first and then VTPV3 , I am a teacher myself and I took private and protected ports first following VTPV3 …they grasped it in very better manner.

although , I don’t have any issues, U rock …
my gratitude–
Akshay Shinde …

Hello Akshay,

Thank you for your kind words! This is what keeps me going to create more and more content :slight_smile:

I’ll take a look at the order for the new CCNA and CCNP courses. Thanks for your input!


I’ve a question regarding Switch Fa0/24 Server access port.

Why did you use the “mapping” keyword instead the “association” keyboard you’ve used on the host ports ?

SW1(config)#interface fa0/24
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 500 501 

Why does “mapping” mean?

SW1(config)#interface range fa0/1 - 2
SW1(config-if-range)#switchport mode private-vlan host
SW1(config-if-range)#switchport private-vlan host-association 500 501

You’ve used the host-association keyword instead of the mapping keyboard configured on the server port

Hello Juan

The reason why these two commands are different is because each one is employed for a different purpose.

When you configure a port using the switchport mode private-vlan host command, you are configuring the port to participate in the community VLAN. As a community VLAN, you must associate the port with a private VLAN. This is done using the host-association keyword and the primary and secondary VLAN IDs as shown. Here you can only indicate one primary, and one secondary VLAN ID.

When you configure a port using the switchport mode private-vlan promiscuous command, you are making this port promiscuous for all configured PVLANs. Using the switchport private-vlan mapping 500 501 command you are able to map this port to the primary VLAN, but also to one or more secondary VLANs. Remember, promiscuous ports can have access to some or all of the private VLANs associated with the primary VLAN. If you had additional secondary VLANs, the command could be switchport private-vlan mapping 500 501 502 503 where 500 is the primary VLAN and the rest are secondary VLANs.

I hope this has been helpful!


1 Like

If a router would be added in the topology used in the lesson, would ports in the private VLAN be able to communicate with each other? Or would that defeat the purpose of private VLANs?

Hello Marit

Even if you have a router in the topology, there would be no change in the behaviour of the networks. Keep in mind that private VLANs control the exchange of traffic between hosts on the same subnet. This means that even if a router existed as a default gateway, the hosts would never use it when communicating with each other.

For example, if Host1 and Host2 are on the same isolated VLAN and had IP addresses of and respectively, and there was a router with an IP address of which was the default gateway of both hosts, then any attempt at communication of the hosts with each other would never be sent to the default gateway. The IP addresses are in the same subnet, so a direct communication would be attempted. But at Layer 2, the isolated VLAN prohibits such communication, so it would fail.

To summarize, no the addition of a router would not make a difference to the behaviour of the private VLANs simply because such communication would never be directed to the router/default gateway.

I hope this has been helpful! Stay healthy and safe!


1 Like