Private VLAN (PVLAN) on Cisco Catalyst Switch

Hello Tesla15

A router is not capable of creating VLANs at all, so it won’t be able to create private VLANs either. A router can only separate subnets on a per interface basis, and provide a default gateway for each of those subnets. Private VLANs can only be created by either Layer 2 or Layer 3 switches.

I hope this has been helpful!


Hi laz ;
there is a misunerstand , ı ask for that topoloji . There are 40 L2 switches and 100 pvlan and only 1 router or 1 FW.if I want intervlan routing between Pvlans , how I configure subinterfaces of router. Note : There will be one connection to router.I will crate sub interface for each vlan on router and switch side will be trunk and all Pvlan is permitted. we can do it juniper switches and 1 juniper routerin our DC.

Hello Tesla15

OK, I understand, sorry about that. If you were to configure a router in such a topology, you would configure each subinterface to correspond with only the primary VLANs. Also, you must make the trunk port on the switch connecting to the router a promiscuous port on all of the primary VLANs in your topology, so that all hosts within all community and isolated VLANs will be able to reach the subinterface of the router and use it as the default gateway.

I hope this has been helpful!


Thank you for this lesson.

i am having a hard time understanding how PVLANS help with vlan limitation of 4096 , since we can only create a secondary vlan with a unique ID ( we can’t have normal vlan with the same id) , how would PVLANs help us with overcoming the mentioned limitation ?

Hello Abdallah

When using private VLANs, you have a primary VLAN, and then a secondary VLAN. The secondary VLAN can be a community VLAN or an isolated VLAN. Each secondary VLAN creates a subdomain within the primary VLAN.

Now each VLAN subdomain is identified using a combination of the primary VLAN ID and the secondary VLAN ID. For example, in the lesson, we have subdomain 501 within the primary VLAN 500. This combination identifies that particular Layer 2 subdomain. Now you can use the same secondary VLAN ID within another primary VLAN.

For example, using the lesson’s topology, you can create a new primary VLAN with an ID of 600 and create secondary VLANs with IDs of 501 and 502. These subdomains will be different than those created within VLAN 500.

Since each subdomain is identified using a pair of VLAN IDs (primary and secondary), then you can create many more subdomains within each of those. This is useful for service providers that must create Layer 2 domains for thousands of customers.

I hope this has been helpful!


1 Like

Hey Guys,

Thank you for the excellent writeup. I have already labbed it out in CML and have a few questions.

In my case i created the private vlans as follows.
Vlan600 = Primary
Vlan 601 = Community
Vlan 602 = Isolated.

I was curious if you could have normal devices in the primary vlan without any additional configuration. It seems that any device in the primary vlan neeeds to be configured as a promiscous port and mapped to the other private vlans?

Is that the case? I had the below config on the ports. I was unable to ping from host on gi0/1 to host on Gi0/2 on the pimrary vlan untill adding in the extra lines about promiscous and mapping.

Is it possible to have hosts on these vlans that just act like normal and can only talk to each other and not the secondarey vlans?

interface GigabitEthernet0/1
 switchport access vlan 660
 switchport private-vlan mapping 660 661-662
 switchport mode private-vlan promiscuous
 negotiation auto

CORE01#sh run int gi0/2
Building configuration...

Current configuration : 169 bytes
interface GigabitEthernet0/2
 switchport access vlan 660
 switchport private-vlan mapping 660 661-662
 switchport mode private-vlan promiscuous
 negotiation auto

I also have another question.

The reason i am looking at private vlans is for an IOT vlan to be setup at work. These will host random IOT type devices and may use wired OR wireless connectivity.

What type of synergy do private vlans have with Cisco WLC and AP’s? if any?
I understand i can setup a wlan to block peer to peer communication. But this would only affect wifi clients on that LAN.

Is it possible to broadcast a SSID for a secondary vlan and have it able to communcaite with others if the secondary vlan is a community OR not communicate if its an isolated vlan?

Hello Josh

I have tested it out too and have confirmed your findings. The only way to add another “normal” host to the 500 VLAN is to configure it as a promiscuous port as well. Even if you configure two other ports simply as access ports on VLAN 500, they will not communicate with each other. From the moment VLAN 500 is configured with the private-vlan commands, it can only function with the appropriate private VLAN commands.

After doing some research, I was unable to find any indication that the WLC is capable of using private VLANs. Typically, each SSID is configured on a per VLAN basis, and any routing needed between VLANs will be performed by a router on the network.

I understand the logic behind using private VLANs for particular SSIDs, however, the capability of isolating one wireless host from another is accomplished much more elegantly using the built-in peer to peer blocking option which disallows users from having direct access to other wireless clients even if they are on the same SSID, VLAN, and subnet. You enable this feature with a simple click in the GUI.

For wired IoT devices, you will need to use private VLANs if you want to achieve the same kind of isolation.

I hope this has been helpful!


Thanks very much for replying Laz.

I’m still a little confused on how to integrate wireless into the scheme of things.
If i wanted a completely isolated wired\wireless vlan.

Would i push out the existing isolated private vlan = eg 602? to the WLC (is this even possible) or would it be an entirely seperate VLAN\network and just enable the peer to peer blocking and control wireless to wired acces via ACL, assuming they didn’t need L2 adjacency (would this be best accomplished directly on the WLC or durhter up on the core where our current ACL’s reside? )

Same with a community vlan on wireless.
as below.

If tey needed to talk to other members of the community vlan , is it possible to publish the SSID for the community vlan (withthe possibility for future community vlans at a later time). Or in this case if communication is needed between wired\wireless in the same vlan , it’d probably just be best to stand up a normal vlan and do away with the private community vlan.

Hello Josh

I appreciate the time you took to make your question clearer with the diagrams and explanation, I believe I understand better what you want to do.

One solution is to separate the wired network from the wireless network and make them two different subnets. That way, you can apply PVLANs to block L2 traffic on the wired portion, PTP setting on the WLC to block L2 traffic on the wireless portion, and ACLs to block traffic between the two subnets. This is probably the simplest and most straightforward solution.

Alternatively, it would be possible to connect the WLC to an interface on the switch that is configured to be in promiscuous mode on the primary VLAN of the PVLAN config. That way, both wired and wireless IoT devices would remain on the same L2 segment, however, this would enable communication from a wireless IoT device on the primary VLAN to a wired IoT device on a community or isolated PVLAN.

What would solve this (and I’m thinking out loud here) is to connect the WLC directly to an isolated or a community private VLAN so that its wirelessly connected devices are subject to the same communication limitations as wired devices on the PVLANs. Without actually having implemented this, it sounds like a viable solution, assuming the connection between the WLC and the switch is an access connection and not a trunk. Although “router on a stick” or in this case “WLC on a stick” can be configured with the primary VLAN of a PVLAN configuration, I don’t believe it is possible to send a secondary VLAN over such a link in that way. This of course would limit your implementation to only a single subnet on that particular WLC.

Until some of these are actually attempted in real life, it is difficult to be sure what the behavior would be. Hopefully, some of this will have inspired you to do some experimentation and troubleshooting. If you do, let us know how you get along…

I hope this has been helpful!


Hi Rene,

Good lesson, but I have few questions?

  1. what is the difference between regular Vlan and private vlan?
  2. why do we need private vlan if we can use access-list?

Hello Costa

A private VLAN, as compared to a regular VLAN, is simply a VLAN that has some additional restrictions concerning which ports it can communicate with at Layer 2.

A regular VLAN can communicate at Layer 2 with hosts on any port assigned to the same VLAN.

Private VLANs have further restrictions based on several types of VLANs and ports that can be configured: community VLANs, isolated VLANs and promiscuous ports. As stated in the lesson:

  • Community VLAN: All ports within the community VLAN are able to communicate with each other and the promiscuous port.
  • Isolated VLAN: All ports within the isolated VLAN are unable to communicate with each other but they can communicate with the promiscuous port.

Both private VLANs and regular VLANs can communicate with any other VLANs via routing, using a default gateway.

Yes it is true that you can achieve similar results using access lists, however using private VLANs would be easier to manage. You can define restrictions based on VLAN IDs, and place the appropriate VLAN IDs on the ports you want. If you were to apply access lists, you would have to ensure that the IP addresses in those lists are updated correctly. What if a host gets an IP address from a DHCP server? That address may change at any time, and you would have to update the access list appropriately, which is not manageable. However, having a particular host on a particular VLAN can be achieved easily, regardless of the IP address of the host.

So there are situations in which private VLANs are more appropriate and manageable than using access lists.

I hope this has been helpful!


Hello Laz ,
Thank you for your Constant Support . do we need a different IP Subnet for each secondary Vlan inside a Primary Vlan ? or we have only one Subnet for a Primary Vlan and all Secondary Vlans use this Layer 3 Subnet ip ?
the Question is about your previous Text on a Router on Stick connected to a promiscuous port:
“so that all hosts within all community and isolated VLANs will be able to reach the subinterface of the router and use it as the default gateway.”

Hello Mohammad

Typically, all the hosts within a primary VLAN will be in the same subnet. Thus, all hosts within all secondary VLANs should have the same subnet. Remember, private VLANs provide a method of preventing communication between hosts that are on the same subnet.

My previous statement was simply stating that no matter what kind of secondary VLAN the hosts exist in, the default gateway should always be connected to a promiscuous port in order for the hosts to communicate outside of their own subnet, or outside of the primary VLAN, and not with each other. Does that make sense?

I hope this has been helpful!


Yes this was helpful. Thank you very much for your support and your wonderful and comprehensive explanation .

1 Like

Hi Rene,
I did the exactly configurations for PVLAN in the switch but it doesn’t work pls help me, I can’t move forward because of this. This is the output, and it show me up like no-operational.

Hello Michael

When the non-operational type appears, this means that there is a problem with the configuration. Make sure that you have configured your primary and your secondary VLANs correctly.

The only other issue is if the platform you are using supports private VLANs. The IOS may, but if the hardware is a 3550 for example, it won’t work. Check out Cisco’s Feature Navigator to see if your IOS and platform support the feature.

I hope this has been helpful!


Hi Laz,
yes you were right it was the IOS Version, I’am using GNS3.
So in order to solve this I download the IOSv version for GNS3 and it worked perfectly, thank you so much.

1 Like

So I’ve read all the comments and I have one situation that I haven’t figured out nor see in the list…

Lets say I have two “normal” vlans, 401-405.
I have vlan 410 as my pvlan primary with 411 as a secondary community and 412 as a secondary isolation

I have a “Router on a stick” that is a trunk port. My “normal” vlans are 401-405, and my pvlans are 410(411/412)…

currently the trunk looks like :

interface Ethernet1/41
  description UPLINK:: To CheckPoint LAN7
  switchport mode trunk
  switchport private-vlan mapping trunk 410 411-412
  switchport trunk allowed vlan 401-405,410-412
  ip dhcp snooping trust
  ipv6 nd raguard attach-policy isp-ra
  ipv6 dhcp guard attach-policy isp-dhcp-server

If I change this to a “switchport trunk private-vlan promiscous” then I loose connectivity to my 401-405. Without the statement, I don’t have 410(411/412) working. Is there any way to allow both over this cable or am I stuck with trying to make two cables to the device (one that deals with my private VLANs and the other than deals with normal vlans)?

Hello Marcos

If you want to carry both private and regular VLANs across a trunk, the best thing to do is to simply configure the trunk as you usually would, allowing all of the VLANs, including regular, primary, community, and isolated VLANs. Don’t use any private VLAN configuration on the trunk itself. As stated in this Cisco documentation:

Note: Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

Also, as stated in this documentation when you configure private VLANs across multiple switches, they are sent just like any other VLANs, but they must be manually configured on both switches, or you must use VTP3 which supports private VLANs.

Finally, if you use a promiscuous trunk, you must keep in mind what such a trunk does to the VLAN IDs when they are sent through it. The following Cisco community post describes very clearly what happens in such cases:

I hope this has been helpful!


Hello Team,

I have a question I’m trying to create a DHCPv6 using the pvlan, I need to use an isolated vlan, so I proceed with the config as below:

vlan 500
  private-vlan primary
  private-vlan association 100
vlan 100
  private-vlan isolated

and then:

interface Vlan500
 ipv6 address 2001:1111::1/64
private-vlan mapping 100

and instead of configuring a promiscuous port, I allowed the isolated vlan 100 on the trunk ports, please let me know if the below configuration is correct or I need to configure a promiscuous port ?