Private VLAN

A Private VLAN (PVLAN) is an extension of a regular VLAN that enhances security by restricting communication between devices within the same VLAN. It has three types of ports: Promiscuous (can communicate with all), Isolated (can only talk to promiscuous ports), and Community (can talk to each other and promiscuous ports but not isolated ports).

PVLAN Configurations

Here’s the overall configuration for the PVLAN, where all PVLAN configuration will be taking place on the Access Switch, whereas the Core only acts as a DHCP Server and VLAN Default Gateway

#Core

ip dhcp pool VLAN10
 network 10.10.0.0 /24
 default-router 10.20.0.1

interface vlan 10
 ip address 10.10.0.1 255.255.255.0

interface Gig0/0
 switchport mode access
 switchport access vlan 10

On SW-1, we enable the PVLAN on VLAN 10, where it’ll have a secondary vlans of VLAN 101, 102, and 103.

vtp mode off

vlan 10
 private-vlan primary
 private-vlan association 101,102,103

vlan 101
 private-vlan isolated

vlan 102
 private-vlan community

vlan 103
 private-vlan community

Then we associate the PVLAN to their respective interfaces

interface gi0/0
 switchport mode private-vlan mapping 10 101,102,103

interface range gi1/0-1
 switchport mode private-vlan host
 switchport private-vlan host-association 10 101

interface range gi1/2-3
 switchport mode private-vlan host
 switchport private-vlan host-association 10 102

interface range gi0/1-2
 switchport mode private-vlan host
 switchport private-vlan host-association 10 103

Run “show vlan private-vlan” to verify the configuration

And run “show interface switchport” to verify interface configurations

Running “show mac address-table” or “show interface status” also confirms the PVLAN configurations

PVLAN Testing

On PC-1 and PC-2 running on Isolated Ports, we can only access the Promiscuous Port and nothing else

On PC-3 and PC-5 running on their respective Community Ports, they can access to PCs on the same Community and to Promiscuous Port