-
Notifications
You must be signed in to change notification settings - Fork 1
PVLAN
FeIix edited this page Apr 28, 2026
·
8 revisions
A quick summarized view to Private VLAN (PVLAN)
PVLANs allow the isolation at Layer 2 of devices in the same IP subnet.
Also known as port isolation. The PVLAN enabled switch ports within a VLAN can only communicate with a given uplink.
As a result, direct peer-to-peer traffic between peers through the switch is blocked, and any such communication must go through the uplink. While private VLANs provide isolation between peers at the data link layer, communication at higher layers may still be possible depending on further network configuration.
| PVLAN Type | PVLAN Class | Switchport Type | Switchport Explanation |
|---|---|---|---|
| Primary | Primary | Promiscuous | Functions like a normal VLAN |
| Isolated | Secondary | Isolated | Only communicates with promiscuous ports |
| Community | Secondary | Community | Communicate with each other and with promiscuous ports |
This section provides some rules and limitations for which you must watch when you implement PVLANs.
- PVLANs cannot include VLANs 1 or 1002–1005.
- You must set VLAN Trunk Protocol (VTP) mode to transparent.
- You can only specify one isolated VLAN per primary VLAN.
- You can only designate a VLAN as a PVLAN if that VLAN has no current access port assignments. Remove any ports in that VLAN before you make the VLAN a PVLAN.
- Do not configure PVLAN ports as EtherChannel.