Many people don’t understand a private VLAN and when to use it. I will try to explain what it is and how to implement it properly. A private VLAN can block host-to-host communication at layer 2, only allowing them to talk to their default gateway. I say essentially out of their broadcast domain because a private VLAN mode will allow the hosts in a specific grouping to talk to members of that same VLAN and the default gateway and out to the rest of the network. There are different modes in a private VLAN and different terms that go along; the chart below outlines each mode and how it works.
| Private VLAN Type | VLAN Type | |
| Promiscuous | Primary | This is usually the default gateway, so all secondary VLANs can talk to it |
| Community | Secondary | Can talk to other hosts in the SAME community and the primary VLAN |
| Isolated | Secondary | Can only talk to the primary VLAN |
The diagram below outlines this, VLAN 10 is the Primary VLAN, and VLAN 100 is an Isolated Private-VLAN, and VLAN 101 is the community private-VLAN
When you look at the traffic flow within and out of the VLAN, it looks like this.
Configuration is pretty straightforward. Many people forget that the switch must be in VTP transparent mode; if you forget, the switch will warn you when you try configuring the private-VLAN type. Below is your typical private-VLAN configuration using the same VLANs as mentioned above;
SW1(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW1(config)#vlan 10
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association 100-101
SW1(config-vlan)#exit
SW1(config)#vlan 100
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#exit
SW1(config)#vlan 101
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
SW1(config)#interface ethernet 0/1
SW1(config-if)#description ***ISOLATED-PRIVATE-VLAN***
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 100
SW1(config-if)#exit
SW1(config)#interface ethernet 0/2
SW1(config-if)#description ***COMMUNITY-PRIVATE-VLAN***
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 101
SW1(config-if)#exit
SW1(config)#interface ethernet 0/3
SW1(config-if)#description ***COMMUNITY-PRIVATE-VLAN***
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 101
SW1(config-if)#exit
SW1(config)#interface ethernet 1/1
SW1(config-if)#description ***ISOLATED-PRIVATE-VLAN***
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 10 100
SW1(config-if)#exit
SW1(config)#int eth 1/2
SW1(config-if)#description ***PROMISCUOUS-PRIVATE-VLAN***
SW1(config-if)#switchport
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan mapping 10 100-101
SW1(config-if)#exit
SW1(config)#exitA few things to note about the configuration;
- When you use the command private-VLAN host, you should use the private-VLAN host-association <primary vlan> <secondary vlan>
- When you use the command private-VLAN promiscuous, you should use the private-VLAN mapping <primary vlan> <secondary VLAN-secondary vlan>
Finally, there are a few show commands that will show you what ports are configured in what private VLAN and the VLAN to private VLAN mapping
Show VLAN private-VLAN: shows what interfaces belong to what private VLAN
SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 100 isolated Et0/1, Et1/1, Et1/2
10 101 community Et0/2, Et0/3, Et1/2show VLAN private-VLAN type: shows a smaller output of what VLANs are and what type of private VLAN