How to Configure Private-VLANs on Cisco Switches

Home > Blogs > Cisco > How to Configure Private-VLANs on Cisco Switches

How to Configure Private-VLANs on Cisco Switches

Like This Blog 0 Mark Jacob
Added by February 19, 2014

I posted a blog recently which discussed protected ports. How Can I Protect My Ports? In that blog I mentioned that a more comprehensive solution (more expensive as well) would be to configure private vlans – as long as your switches support such a feature. In this blog I will cover the configuration steps required to get your private vlans up and running, as well as demonstrate the impact before and after they are in place. Here is the network scenario:

Cisco Switches - How to Configure a Private VLAN

Your first thought may be, “Why do I need to know this? Where would I ever use it?” Imagine you are a service provider and you want to be efficient in your use of IP addresses. If you have multiple clients to serve, it would be nice if you could put them all in the same subnet to conserve addresses, but you certainly don’t want them scanning each other’s traffic. (Keep in mind that the alternative solution would be to place each client in an individual subnet, adding administrative workload and wasting IP addresses. Here is a great place to use private vlans.

The goal in the above scenario is to place C1 and C2 into community vlans and C3 and C4 into isolated vlans. C5 will be in a promiscuous port and thus will be accessible by all of the other PCs. The switch is a 3560 48 port switch. A little background information will be useful here. In community private-vlans, individual hosts have access to each other as well as to the host in a promiscuous port.  In isolated private-vlans, individual hosts cannot access other hosts in the same isolated vlan, but they can access the endpoint in a promiscuous port. The hosts have IP addresses with this scheme:

C1-, C2-, C3-, C4-, and C5-

Let’s look at the results of pings before we configure anything.

Ping of Cisco Private VLAN





So everybody can ping everybody. This is the expected result since we are not preventing anything yet. Now let’s complete the scenario noted above.

First I will configure the private vlans on CSW1 (note that the switch must be in VTP Transparent mode. This has already been done.):

VLAN on CSQ1 Cisco Switch

Now I have a primary vlan and two secondary vlans. I want to associate the two secondary vlans with the primary vlan. Here is what it looks like:

Cisco Switch - Primary VLAN on CSW1

Notice that I have added both of the secondary vlans with one command. This is not required, but it does save typing. Also note that I created the secondary vlans (community and isolated) before I created the primary. This saves typing as well, but you can do it in any order you wish.  Let’s do a show command to see what we have accomplished so far:


So my vlans exist, but just like normal vlans, they aren’t doing anything for me until I assign ports. The first port I want to configure is the promiscuous port. You could imagine this as a default-gateway address of a router or a monitoring PC – something that needs to be accessible by all endpoints in this scenario. Configuration looks like this:

Cisco Switch endpoints of VLAN

So my promiscuous port is now configured. All that remains is to place my other hosts into the correct secondary vlans. Let’s see that piece of the configuration. First we will configure the community vlan piece:

Community VLAN on Cisco Switch configuring a private vlan

Now for the isolated configuration:

Isolated configuration of VLAN on a Cisco Switch

Let’s take a look at a show command that will display everything that we have configured:

Cisco Switch - show vlans

Now let’s try those pings again. First, one of the isolated PCs tries to ping the other isolated PC:


Failure means success! How about the other one?


No go. Just what we want! But can I still reach the promiscuous destination?



Can I reach one of the PCs in the community vlan? I should not be able to hit it. Let’s see:

Cisco Switch - Recent primary ping for private VLAN

Can’t get there. It is working. One last thing to check. In the community vlan, the endpoints should be able to ping the promiscuous port AND each other. Let’s try it. Here is CL2 trying to reach CL1:


I see replies. How about the other way?


Once again, success. One last check before we call it complete is to verify that the hosts in the community vlan can reach the promiscuous port:

Cisco Switch - Ping community vlan on private VLAN

Aaahh, the sweet smell of success. This configuration is quite useful in the scenario noted above, but keep in mind you must have at least a 3560 switch to be able to use this feature. Once you get past the odd syntax of mappings, host-associations, and plain old associations, you will be configuring private vlans like a guru. Until next time…

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

A Simple Introduction to Cisco CML2

0 3874 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Cable Testers and How to Use them in Network Environments

0 720 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Government Edition – Encrypting a USB Flash Drive in Windows 10

0 274 2

In this video, Security Instructor Mike Danseglio demonstrates how to use BitLocker in Window 10 to secure files on a USB Flash drive that adhere to stricter data protection requirements as found inside Government entities. BitLocker 2-day instructor-led training is now available at Interface: BITLOCK: Planning and Deploying BitLocker Drive Encryption Training Video Transcription: Hi. … Continue reading Government Edition – Encrypting a USB Flash Drive in Windows 10

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.