private-vlan [isolated|community|primary]
Configures a VLAN as a private VLAN, designating it as isolated, community, or primary to provide Layer 2 isolation between ports within the same VLAN.
private-vlan [isolated|community|primary]When to Use This Command
- Isolating guest Wi-Fi traffic from corporate devices on the same switch
- Creating a community VLAN for a group of servers that need to communicate with each other but not with other devices
- Setting up a primary VLAN to aggregate multiple isolated and community VLANs for routing
- Providing secure multi-tenant environments where tenants cannot communicate directly
Command Examples
Configuring an Isolated Private VLAN
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan isolatedSwitch(config-vlan)# private-vlan isolated Switch(config-vlan)#
The command sets VLAN 100 as an isolated private VLAN. No output is displayed upon success; the prompt returns indicating the command was accepted.
Configuring a Community Private VLAN
Switch(config)# vlan 200
Switch(config-vlan)# private-vlan communitySwitch(config-vlan)# private-vlan community Switch(config-vlan)#
This sets VLAN 200 as a community private VLAN. Again, no output confirms success.
Configuring a Primary Private VLAN
Switch(config)# vlan 300
Switch(config-vlan)# private-vlan primarySwitch(config-vlan)# private-vlan primary Switch(config-vlan)#
VLAN 300 is configured as the primary private VLAN. The primary VLAN is used to associate secondary VLANs (isolated/community) for Layer 3 routing.
Understanding the Output
The command 'private-vlan' does not produce any output on success; the switch simply returns to the VLAN configuration prompt. To verify the configuration, use 'show vlan private-vlan' or 'show interfaces private-vlan mapping'. In 'show vlan private-vlan', look for the VLAN ID and its type (primary, isolated, or community). A primary VLAN will show associated secondary VLANs. An isolated VLAN will have no community associations. Ensure that the VLAN is not already configured as a different type, as that will cause an error.
CCNA Exam Tips
Remember that private VLANs require a primary VLAN and at least one secondary VLAN (isolated or community).
On CCNA, you may be asked to identify which VLAN type allows communication within the same group (community) vs. no communication (isolated).
Private VLANs are configured in VLAN configuration mode, not interface mode.
The 'private-vlan' command is only available on switches that support PVLANs (e.g., Catalyst 3560, 3750).
Common Mistakes
Forgetting to associate secondary VLANs to the primary VLAN using 'private-vlan association' command.
Applying the 'private-vlan' command to an existing VLAN that already has ports assigned, causing configuration rejection.
Confusing 'private-vlan isolated' with 'switchport mode private-vlan host' – the former sets the VLAN type, the latter sets the interface mode.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions