Open In App
Related Articles

Private VLAN

Like Article
Save Article
Report issue

Prerequisite – Virtual LAN (VLAN) Virtual LAN (VLAN) is used to break a broadcast domain into smaller domain at layer 2. Only (all) hosts belonging to same VLAN are able to communicate with each other while communicating with other VLAN hosts, Inter Vlan routing is done. But in same VLAN, if we want some hosts should not be able to communicate with other hosts (in the same VLAN) at layer 2 level then VLAN access-list or concept of private VLAN is used. Private VLAN – Private VLAN are used to break the layer 2 broadcast domain into small subdomains. A subdomain consists of one primary VLAN and one or more secondary VLAN. 

Types of VLANs – 

There are two types of VLANs in Private VLANs:

  1. Primary VLAN – All the ports in the private VLAN belong to a primary VLAN. A private VLAN can have only one primary VLAN. All the VLANs in a private VLAN domain share the same primary VLAN.
  2. Secondary VLAN – A private VLAN can have one or more secondary VLANs. It provides isolation between the ports belonging to same private VLAN domain. These are of two types:
    1. Isolated VLANs – Hosts belonging to Isolated VLAN can only communicate with its associated promiscuous port and cannot communicate directly with other hosts (belonging to other isolated or community VLAN) directly at layer 2. Usually, a single port is assigned to Isolated VLANs but you can have more than one port associated to it.
    2. Community VLANs – A private VLAN can have one or more than one community VLANs. Hosts belonging to the same community VLANs can communicate with each other and its associated promiscuous port but hosts belonging to different community VLANs cannot communicate with each other at layer 2.

Types of ports –

Types of ports in A Private VLAN are:

  1. Promiscuous port – It belongs to the primary VLAN. These ports can communicate with all interfaces, that are a part of secondary VLANs associated with that promiscuous port and that primary VLAN. Generally, it is used for connecting switches with routers, Firewalls etc.
  2. Isolated port – An isolated port belongs to a secondary isolated VLAN. These are the host ports whose traffic is forwarded to the promiscuous port. A private VLAN allows only that traffic to the isolated port which is coming from its associated promiscuous port.
  3. Community port – This port belongs to a secondary community VLAN. These host ports can communicate with other ports in the same community VLAN and also with its associated promiscuous port. These ports are completely isolated from other community VLAN ports and isolated ports.

Note – VTP (VLAN Trunking Protocol) should be operating in mode transparent or off in order to configure private VLANs. Configuration – 

Here is a topology in which Router1 (IP address-, PC1(IP address- ), PC2(IP address- ), PC3 (IP address- and switch are connected to each other as shown in the figure. In this task, we will assign VLAN 10 to fa0/1, fa0/2, and VLAN 20 to fa0/3 and fa0/0 as VLAN 100. Then, we will make VLAN 10 as community VLAN, VLAN 20 as isolated VLAN and VLAN 100 as primary VLAN. Configuring Private VLAN on switch:

switch(config)#vlan 10
switch(config-vlan)#private-vlan community

Here, we have created VLAN 10 and configured it as community VLAN. Now, configuring isolated VLAN.

switch(config)#vlan 20
switch(config-vlan)#private-vlan isolated

Now, creating vlan 100 and configuring it as primary VLAN and associating secondary vlan 10, 20 to it.

switch(config)#vlan 100
switch(config-vlan)#private-vlan primary
switch(config-vlan)#private-vlan association 10, 20

Now, configuring ports as private-vlan host port and associating them with primary and secondary VLAN. First configuring fa0/1 and fa0/2 and associating vlan 10 (secondary VLAN) with its primary VLAN (vlan 100).

switch(config)#int range fa0/1-2
switch(config-vlan)#switchport mode private-vlan host
switch(config-vlan)#switchport Private-vlan host-association 100 10

Now, configuring fa0/3 and associating vlan 20 (secondary VLAN) with its primary VLAN (vlan 100).

switch(config)#int fa0/3
switch(config-vlan)#switchport mode private-vlan host
switch(config-vlan)#switchport Private-vlan host-association 100 20

Now, at last we will configure interface fa0/0 as promiscuous port and associate the port with primary vlan (vlan 100) and secondary VLAN (vlan 10, 20).

switch(config)#int fa0/0
switch(config-vlan)#switchport mode private-vlan promiscuous 
switch(config-vlan)#switchport Private-vlan mapping 100 10, 20

We can verify the ports associated with secondary VLANs by command.

switch#show vlan private-vlan

If you want to verify the primary VLAN and secondary VLAN (Isolated or Community) then use the command.

switch# show vlan private-vlan type 


  • Improved security: PVLANs provide an additional layer of security by isolating devices within a VLAN, preventing them from communicating with other devices in the same VLAN.
  • Network segmentation: PVLANs allow for network segmentation at a finer level than traditional VLANs, allowing for more granular control over network traffic.
  • Reduced broadcast traffic: PVLANs help reduce broadcast traffic by isolating devices within the VLAN and preventing them from communicating with other devices in the same VLAN.
  • Cost-effective: PVLANs can be implemented using existing VLAN infrastructure, which can be more cost-effective than other security solutions.


  • Complex configuration: PVLANs can be complex to configure and manage, particularly in large networks with many VLANs and devices.
  • Limited functionality: PVLANs have limited functionality compared to other network security solutions, which can limit the security options available to network administrators.
  • Performance impact: PVLANs can have a performance impact on the network, particularly when implementing complex security policies.
  • Single point of failure: If the PVLAN infrastructure fails, all devices within the VLAN will be impacted, which can cause significant network downtime

Application of Private VLAN

1.Isolation of gadgets: Private VLANs can be utilized to separate gadgets inside a VLAN from one another. For instance, in a common facilitating climate, you can utilize a Private VLAN to seclude the virtual servers from one another, keeping them from conveying straightforwardly.

2.Security: Private VLANs can be utilized to upgrade security by keeping specific gadgets from speaking with different gadgets inside a similar VLAN. For instance, you can utilize a Private VLAN to disengage an organization portion containing delicate data from the remainder of the organization.

3.Simplified organization the executives: Private VLANs can be utilized to work on network the board by decreasing the quantity of VLANs required. Rather than making separate VLANs for each gathering of gadgets, you can utilize a solitary VLAN with various Private VLANs.

4.Compliance: Private VLANs can assist with meeting consistence prerequisites by secluding traffic containing touchy data or frameworks. For instance, Installment Card Industry (PCI) consistence expects that Visa information be detached from other traffic, which can be accomplished utilizing Private VLANs.

Last Updated : 02 May, 2023
Like Article
Save Article
Share your thoughts in the comments
Similar Reads