PVLAN

Private VLAN

A quick summarized view to Private VLAN (PVLAN)

PVLANs allow the isolation at Layer 2 of devices in the same IP subnet.

Also known as port isolation. The PVLAN enabled switch ports within a VLAN can only communicate with a given uplink.
As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink. While private VLANs provide isolation between peers at the data link layer, communication at higher layers may still be possible depending on further network configuration.

Types of PVLAN and Switchport Associated

PVLAN Type	PVLAN Class	Switchport Type	Switchport Explanation
Primary	Primary	Promiscuous	Functions like a normal VLAN
Isolated	Secondary	Isolated	Only communicates with promiscuous ports
Community	Secondary	Community	Communicate with each other and with promiscuous ports

Rules and Limitations

This section provides some rules and limitations for which you must watch when you implement PVLANs.

PVLANs cannot include VLANs 1 or 1002–1005.
You must set VTP (v1 and v2) mode to transparent or off.

In VTP versions 1 and 2, PVLAN mappings (primary/secondary associations) are not supported in advertisements. If a switch is in server/client mode, it might try to overwrite these unique mappings with information from the VTP domain.
You can only specify one isolated VLAN per primary VLAN.
You can only designate a VLAN as a PVLAN if that VLAN has no current access port assignments. Remove any ports in that VLAN before you make the VLAN a PVLAN.
Do not configure PVLAN ports as EtherChannel.

Configuration Example

hostname S1
!
ip domain name cisco.lab
!
vtp mode transparent
!
vlan 10
 name Class10
  private-vlan primary
  private-vlan association 101,102
!
vlan 101
 name Class10_1
  private-vlan isolated
!
vlan 102
 name Class10_2
  private-vlan community
!
interface Ethernet0/0
 description Up_stream
 switchport private-vlan mapping 10 101-102
 switchport mode private-vlan promiscuous
!
interface Ethernet0/1
 description To_Server1
 switchport private-vlan host-association 10 101
 switchport mode private-vlan host
!
interface Ethernet0/2
 description To_Server2
 switchport private-vlan host-association 10 102
 switchport mode private-vlan host
!
interface Ethernet0/3
 description To_Server3
 switchport private-vlan host-association 10 102
 switchport mode private-vlan host
!         
interface Vlan10
 description Management
 ip address 10.0.10.1 255.255.255.0
 private-vlan mapping 101,102

PVLAN

Private VLAN

Types of PVLAN and Switchport Associated

Rules and Limitations

Configuration Example

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!