Master IP Addressing and Subnetting: The Ultimate Course for Network Engineers—Limited Time Offer: $100 Course for FREE!

Hey there, fellow Network Engineers! Tired of feeling lost in the world of IP addressing and subnetting? Look no further! My course, "Mastering IP Addressing and Subnetting," is here to give you the skills and confidence you need to tackle any subnetting challenge. And the best part? For a limited time, I'm offering it for free to my website visitors and subscribers with the code "year2023" at checkout. Don't miss out on this opportunity to level up your networking game.

Click now to check out the course!

Switchport Mode Private-Vlan

Switchport Mode Private-Vlan
Hi guys i am back was stuck in some office work.

As per the heading we are discussing Private-Vlans today,
First of all Why we use Private Vlans in our switches? ,
even before why we even use Vlans in our switches?

Vlan is a Virtual LAN(Local Area Network) as in the cisco environment the name
is the recipe,as we all know from our CCNA studies that switches have multiple
Collision domains but a single Broadcast domain,VLAN is a broadcast domain
created by switches,normally , it is router creating that broadcast domain.
So by creating Vlans we are splitting our single default broadcast domain into
multiple broadcast domain by different vlans that will further used by different
ports and by different group of peoples to communicate with each other.
Note:-We still need a layer 3 device to communicate between these vlans.

The private vlan further split this single broadcast domain used by a single
Vlan into multiple isolated broadcast subdomains , that is defined by primary
Vlan and its secondary Vlans.It simply means that even if you are in a single
vlan (broadcast domain) you may or may not talk to each other,example in a
shared ISP co-location ,offices, hotels , where two hotel rooms may be in a
same subnet and in a same Vlan but should not talk to each other directly.

The theory about the Private VLANS is not much complicated rather implementation
may be confusing because Cisco uses different terms in this section to describe
Vlans and Ports.
NOTE:-Switch must be in TRANSPARENT mode to configure PVLANS.

Initially the ports are defined used in PVLANS.
There are 3 types of ports.
1.Promiscuous Ports:-Can talk to any port in a VLAN.
2.Isolated Ports:-Can ONLY talk to Promiscuous ports.
3.Community Ports:-Can ONLY talk to promiscuous ports and ports within their
community,cannot even talk to other different community ports.

First we create our secondary PVLAN and defined as community or isolated.
vlan 300
private-vlan [isolated/community]

Then the primary parent vlan is defined and the PVLANs are associated with the
primary vlan.
vlan 18
private-vlan primary
private-vlan association 300

After that we configure the interfaces that either they talk to each other or not
talk to each other.If we want a port to talk to each other then we configure that
port as a Promiscuous port,else we configure is as Host port.Here Host option
defines that this port should be either Community Port or Isolated port.

Example:-Suppose we want to configure that SW1 Fa0/6 and SW2 Fa0/8 on vlan 18
cannot talk to each other while the Router1 connected to SW1 Fa0/4 can still talk
to each other and vice-versa.The sample topology will be found by clicking PVLAN,
the diagram is just for reference not made professionally, kindly tolerate 🙂


Here the configuration look like this.
On Both SW1 and SW2
vlan 300
private-vlan isolated

vlan 18
private-vlan primary
private-vlan association 300

On SW1:-
Interface FastEthernet0/4
switchport access vlan 18
switchport mode private-vlan promiscuous
switchport private-vlan mapping 3 300

Interface FastEthernet0/6
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

On SW2:-
Interface FastEthernet0/8
switchport access vlan 18
switchport mode private-vlan host
switchport private-vlan host-association 3 300

We can check the configuration of PVLAN by:-
Show interface FastEthernet0/4 switchport | include private

For further studies on PVLAN  you can go here

Afroz Ahmad
Afroz Ahmad

"Hey there, network enthusiasts! My name is Afroz, and I've been a CCIE for over 14 years. I work as a Network Designer, and my true passion is teaching others about the industry and sharing my knowledge through my blog and courses. I know the struggles of navigating the complex world of networking, but I firmly believe that teaching makes you a better learner and reinforces understanding. So, whether you're just starting out or a seasoned veteran, join me on this journey of learning and discovery, it will be worth it, and who knows, you might even have some fun along the way!"

Articles: 83

Leave a Reply

Your email address will not be published. Required fields are marked *