Private VLANs (PVLANs) are a Layer 2 security feature that extends the VLAN concept to provide isolation between devices within the same broadcast domain. On the CCNA 200-301 exam (Objective 2.1: Configure and verify VLANs and trunking), PVLANs appear as an advanced topic that tests your understanding of traffic isolation, promiscuous/community/isolated ports, and their interaction with trunking and routing. In real networks, PVLANs are critical in multi-tenant environments, DMZs, and campus access layers where you must prevent peer-to-peer traffic without deploying multiple VLANs or subnets.
Jump to a section
Imagine a hotel floor with several guest rooms, a shared lounge, and a concierge desk. Each guest room is like an isolated port — guests in different rooms cannot talk directly to each other; they can only communicate with the concierge (the promiscuous port). The shared lounge is like a community port — guests assigned to that lounge can talk among themselves but cannot talk to guests in isolated rooms. The concierge desk is the promiscuous port — it can talk to everyone: isolated rooms, community lounges, and the outside world (via the router). In networking terms, the hotel floor is a private VLAN domain with a primary VLAN (the entire floor) and secondary VLANs (isolated and community). The concierge (promiscuous port) is typically connected to a router or firewall, allowing isolated hosts to reach the gateway but not each other. The community lounge allows a group of servers to communicate while blocking traffic from isolated guests. This design prevents a compromised guest room from attacking another guest room, just as an isolated host cannot send frames to another isolated host in the same PVLAN.
What Are Private VLANs?
Private VLANs (PVLANs) are an extension of standard 802.1Q VLANs that provide Layer 2 isolation within a single broadcast domain. They were introduced in Cisco IOS to solve the problem of needing multiple VLANs and subnets to isolate hosts while still using a single IP subnet. In a standard VLAN, any host can communicate with any other host in the same VLAN (unless access lists are applied). PVLANs allow you to partition a VLAN into multiple secondary VLANs, each with different communication rules.
PVLAN Components
A PVLAN domain consists of one primary VLAN and one or more secondary VLANs. The primary VLAN carries traffic from promiscuous ports to all secondary VLANs. Secondary VLANs are of two types:
Isolated VLAN: Ports in an isolated VLAN can only communicate with promiscuous ports. They cannot communicate with any other port within the same isolated VLAN or with ports in other secondary VLANs.
Community VLAN: Ports in the same community VLAN can communicate with each other and with promiscuous ports, but not with ports in other secondary VLANs.
Port roles: - Promiscuous port: A port that belongs to the primary VLAN and can communicate with all secondary VLAN ports (both isolated and community). Typically used for routers, firewalls, or servers that need to reach all hosts. - Isolated port: A port that belongs to an isolated VLAN. It can only communicate with promiscuous ports. - Community port: A port that belongs to a community VLAN. It can communicate with other ports in the same community VLAN and with promiscuous ports.
How PVLANs Work at the Frame Level
When a switch receives a frame on a PVLAN port, it performs a lookup on the destination MAC address. The forwarding decision depends on the port type of the source and destination:
Source is promiscuous: The frame can be forwarded to any port in the primary VLAN (including all secondary VLAN ports).
Source is isolated: The frame can only be forwarded to promiscuous ports. If the destination is another isolated port (even in the same isolated VLAN), the frame is dropped.
Source is community: The frame can be forwarded to promiscuous ports and to ports in the same community VLAN. If the destination is in a different community VLAN or an isolated VLAN, the frame is dropped.
This is enforced by the switch hardware using a special forwarding table that maps secondary VLANs to the primary VLAN. The switch maintains a mapping between the primary VLAN and each secondary VLAN. Promiscuous ports are associated with the primary VLAN, while isolated/community ports are associated with their respective secondary VLANs.
VLAN Trunking and PVLANs
PVLANs can be extended across multiple switches using trunk links. However, the trunk must carry the primary VLAN and all secondary VLANs. Cisco switches require that the trunk port be configured as a promiscuous trunk port (using the switchport mode private-vlan trunk promiscuous command) or as a host trunk port for isolated/community VLANs. Alternatively, you can use regular trunking and map secondary VLANs to the primary VLAN on each switch. The key is that the primary VLAN ID must be consistent across all switches.
Interaction with Routing
A router (or Layer 3 switch) connected to a promiscuous port can route between different secondary VLANs because it sees all hosts as being in the same IP subnet (the primary VLAN subnet). However, the router must have a single interface (or SVI) in the primary VLAN. The router does not need to know about secondary VLANs; it simply sends frames to the switch, which then uses the PVLAN rules to deliver them. This is a major advantage: you can have multiple isolated groups sharing the same IP subnet without needing multiple router interfaces.
Configuration Example
Consider a scenario: Primary VLAN 100, Isolated VLAN 101, Community VLAN 102. We want a router on port Gi0/1 to reach all hosts, hosts on isolated ports (Gi0/2) to only reach the router, and hosts on community ports (Gi0/3, Gi0/4) to talk to each other and the router.
! Step 1: Create VLANs and associate them as private VLANs
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# exit
Switch(config)# vlan 102
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
! Step 2: Associate secondary VLANs to primary VLAN
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan association 101,102
Switch(config-vlan)# exit
! Step 3: Configure promiscuous port (router uplink)
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101,102
Switch(config-if)# exit
! Step 4: Configure isolated port
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
Switch(config-if)# exit
! Step 5: Configure community ports
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102
Switch(config-if)# exit
Switch(config)# interface gigabitethernet0/4
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102
Switch(config-if)# exitVerification Commands
show vlan private-vlan – Displays PVLAN configuration (primary, secondary, association).
show interfaces private-vlan mapping – Shows mapping on promiscuous ports.
show interfaces status – Verify port mode.
Example output:
Switch# show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------
100 101 isolated Gi0/2
100 102 community Gi0/3, Gi0/4
Switch# show interfaces gigabitethernet0/1 private-vlan mapping
Interface: Gi0/1
Primary VLAN: 100
Secondary VLANs: 101,102Common Pitfalls and Exam Traps
Trap: Thinking isolated ports can talk to each other. In an isolated VLAN, no two isolated ports can communicate, even if they are in the same isolated VLAN. Only promiscuous ports can reach them.
Trap: Confusing community VLANs with standard VLANs. Community VLANs allow intra-community communication but block inter-community and isolated traffic.
Trap: Forgetting that the primary VLAN must exist on all switches in the PVLAN domain. If you extend PVLANs over trunks, ensure the primary VLAN is allowed on the trunk.
Trap: Using `switchport mode private-vlan` without the correct subcommand. The host or promiscuous keyword is required.
Interaction with Related Protocols
Spanning Tree Protocol (STP): PVLANs work with STP; the primary VLAN acts as the STP instance for the entire PVLAN domain. Secondary VLANs do not run separate STP.
VTP: VTP can propagate PVLAN configurations, but it is recommended to use manual configuration for exam purposes.
DHCP: A DHCP server on a promiscuous port can serve IP addresses to all hosts in the PVLAN domain because they are in the same broadcast domain (primary VLAN). Broadcasts from isolated hosts reach the promiscuous port.
Plan PVLAN structure
Determine the primary VLAN and secondary VLANs (isolated and community). For example, use VLAN 100 as primary, VLAN 101 as isolated, and VLAN 102 as community. Ensure the IP subnet is assigned to the primary VLAN (e.g., 192.168.1.0/24). The router interface (or SVI) will use this subnet.
Create VLANs and define types
On the switch, enter global configuration mode and create the VLANs. Use `private-vlan primary` for the primary VLAN and `private-vlan isolated` or `private-vlan community` for secondary VLANs. Example: ``` Switch(config)# vlan 100 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 101 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 102 Switch(config-vlan)# private-vlan community ```
Associate secondary VLANs to primary
In the primary VLAN configuration mode, use `private-vlan association` to link the secondary VLANs. This tells the switch that VLAN 100 is the primary and VLANs 101 and 102 are its secondary. Example: ``` Switch(config)# vlan 100 Switch(config-vlan)# private-vlan association 101,102 ```
Configure promiscuous port
On the interface connected to the router or upstream device, set the mode to promiscuous and map the primary VLAN to the secondary VLANs. Use `switchport mode private-vlan promiscuous` and `switchport private-vlan mapping 100 101,102`. Example: ``` Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport mode private-vlan promiscuous Switch(config-if)# switchport private-vlan mapping 100 101,102 ```
Configure host ports (isolated/community)
For each host-facing port, set the mode to host and associate the port with the primary VLAN and the appropriate secondary VLAN. Use `switchport mode private-vlan host` and `switchport private-vlan host-association 100 101` (for isolated) or `100 102` (for community). Example: ``` Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 101 Switch(config-if)# exit Switch(config)# interface gigabitethernet0/3 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 100 102 ```
Verify PVLAN configuration
Use `show vlan private-vlan` to confirm the VLAN types and associations. Use `show interfaces private-vlan mapping` on the promiscuous port to verify the mapping. Also use `show interfaces status` to check port modes. Example: ``` Switch# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------ 100 101 isolated Gi0/2 100 102 community Gi0/3, Gi0/4 Switch# show interfaces gigabitethernet0/1 private-vlan mapping Interface: Gi0/1 Primary VLAN: 100 Secondary VLANs: 101,102 ```
Scenario 1: Multi-Tenant Data Center
In a colocation facility, different customers share the same switch infrastructure. Each customer requires that their servers cannot communicate with other customers' servers, but all servers must reach the internet via a shared firewall. Using PVLANs, the network engineer assigns each customer an isolated VLAN within the same primary VLAN. All isolated ports are connected to customer servers, and a single promiscuous port connects to the firewall. This allows all servers to use the same IP subnet (e.g., 10.0.0.0/24) while ensuring complete Layer 2 isolation between customers. The firewall handles routing and NAT. This design saves IP address space and reduces VLAN proliferation. A common misconfiguration is forgetting to set the firewall port as promiscuous, causing all traffic to be dropped.
Scenario 2: Campus Wireless Network with Guest Access
A university wants to provide guest Wi-Fi access in common areas. Guest devices should only reach the internet, not internal resources or other guest devices. The network engineer creates an isolated VLAN for guest traffic. The access points (APs) are connected to isolated ports. The promiscuous port connects to a wireless LAN controller (WLC) or router that enforces internet-only access via ACLs. Guests receive IP addresses from a DHCP server on the primary VLAN subnet. Because isolated ports cannot communicate with each other, a compromised guest device cannot attack another guest. The community VLAN is used for internal staff devices that need to communicate with each other (e.g., printers) but not with guests.
Scenario 3: DMZ with Multiple Security Zones
In a corporate DMZ, web servers, application servers, and database servers must be isolated at Layer 2. The web servers (community VLAN 102) can talk to each other for load balancing, but cannot talk to database servers (isolated VLAN 101). The firewall (promiscuous port) can reach all servers. This setup prevents an attacker who compromises a web server from directly attacking the database server at Layer 2; all inter-zone traffic must pass through the firewall. Scaling PVLANs across multiple switches requires careful trunk configuration. If a trunk port is not configured correctly (e.g., missing secondary VLANs on the trunk), isolated hosts may lose connectivity to the promiscuous port.
What the 200-301 Exam Tests
Objective 2.1 (Configure and verify VLANs and trunking) includes PVLANs as an advanced topic. You are expected to understand the concept, the different port roles (promiscuous, isolated, community), and how traffic flows between them. You will not be asked to configure PVLANs from scratch in a simulation, but you must interpret show commands and identify misconfigurations. The exam may present a scenario where a network engineer needs to isolate hosts within the same VLAN, and you must choose PVLANs as the solution.
Top 3 Wrong Answers and Why Candidates Choose Them
Wrong: Using multiple standard VLANs with a router-on-a-stick. Candidates think this provides isolation, but it requires multiple subnets and router interfaces, wasting IP space and increasing complexity. PVLANs achieve isolation within a single subnet.
Wrong: Configuring all ports as promiscuous. This would allow all hosts to communicate, defeating the purpose. Candidates misunderstand the role of promiscuous ports.
Wrong: Assuming isolated ports can communicate with each other if they are in the same isolated VLAN. This is the most common trap. Candidates confuse isolated VLANs with regular VLANs. In an isolated VLAN, no intra-VLAN communication is allowed except via a promiscuous port.
Specific Values and Command Outputs
The show vlan private-vlan command displays the primary VLAN, secondary VLANs, and their types.
The switchport private-vlan host-association command requires both primary and secondary VLAN IDs.
The switchport private-vlan mapping command on promiscuous ports lists all associated secondary VLANs.
Decision Rule for Scenario Questions
If a question asks for Layer 2 isolation within the same IP subnet, the answer is Private VLANs. If the question asks for isolation between different subnets, use standard VLANs and routing. If the question mentions "isolated port" or "community port," look for PVLAN terminology.
Private VLANs (PVLANs) provide Layer 2 isolation within a single broadcast domain using a primary VLAN and secondary VLANs (isolated or community).
Isolated ports can only communicate with promiscuous ports; community ports can communicate with other ports in the same community and promiscuous ports.
Promiscuous ports are typically used for routers, firewalls, or servers that need to reach all hosts.
Configuration commands: `private-vlan primary`, `private-vlan isolated`, `private-vlan community`, `private-vlan association`, `switchport mode private-vlan host/promiscuous`, `switchport private-vlan host-association`, `switchport private-vlan mapping`.
Verification commands: `show vlan private-vlan`, `show interfaces private-vlan mapping`.
Common exam trap: isolated ports cannot communicate with each other even in the same isolated VLAN.
PVLANs conserve IP address space by allowing multiple isolated groups to share the same subnet.
These come up on the exam all the time. Here's how to tell them apart.
Standard VLANs
Each VLAN is a separate broadcast domain.
All ports in the same VLAN can communicate with each other.
Requires a separate IP subnet per VLAN.
Isolation requires multiple VLANs and a router (router-on-a-stick).
Configuration is simpler: `switchport access vlan`.
Private VLANs (PVLANs)
Single broadcast domain (primary VLAN) with secondary VLANs for isolation.
Isolated ports cannot communicate with each other; community ports only intra-community.
Single IP subnet for all hosts (primary VLAN subnet).
Isolation achieved within one VLAN without additional routing.
Configuration is more complex: requires PVLAN-specific commands.
Mistake
Isolated ports in the same isolated VLAN can communicate with each other.
Correct
Isolated ports cannot communicate with any other port except promiscuous ports. They are fully isolated at Layer 2.
Candidates assume that being in the same VLAN implies communication, but PVLANs override this rule.
Mistake
Community ports can communicate with any other community port, regardless of which community VLAN they belong to.
Correct
Community ports can only communicate with ports in the same community VLAN. Cross-community communication is blocked.
Candidates misunderstand the community concept as a general group, but each community VLAN is isolated from others.
Mistake
A promiscuous port belongs to both the primary and secondary VLANs.
Correct
A promiscuous port belongs to the primary VLAN only. It can communicate with all secondary VLANs via the mapping, but it is not a member of the secondary VLANs.
The term 'promiscuous' implies access to all, leading candidates to think it is a member of all VLANs.
Mistake
PVLANs require a different IP subnet for each secondary VLAN.
Correct
All ports in a PVLAN domain share the same IP subnet (the primary VLAN subnet). The router sees all hosts as being in one subnet.
Candidates confuse PVLANs with standard VLANs, where each VLAN typically has its own subnet.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. You can configure an SVI for the primary VLAN on a Layer 3 switch and enable IP routing. The SVI acts as the promiscuous gateway. All hosts in the PVLAN domain can reach the SVI, and the SVI can route between different PVLAN domains or to other networks. The SVI does not need to know about secondary VLANs.
Yes, but trunk ports must be configured carefully. You can use a promiscuous trunk port (using `switchport mode private-vlan trunk promiscuous`) to carry the primary VLAN and all secondary VLANs. Alternatively, you can use regular trunking and ensure the primary and secondary VLANs are allowed on the trunk. The PVLAN mapping must be consistent across switches.
No. A port configured as a PVLAN host port cannot be a regular access port. The `switchport mode private-vlan host` command overrides the access mode. You must decide whether a port uses PVLANs or standard VLANs.
In an isolated VLAN, ports can only communicate with promiscuous ports. No communication is allowed between isolated ports. In a community VLAN, ports can communicate with each other (intra-community) and with promiscuous ports, but not with ports in other secondary VLANs.
Cisco switches support up to 1000 secondary VLANs per primary VLAN, but the exact limit depends on the platform. For the CCNA exam, know that multiple isolated and community VLANs can be associated.
Yes, but it is not recommended. DTP can negotiate trunking, but PVLAN configurations are static. It is safer to manually configure trunk ports when extending PVLANs across switches.
STP runs only on the primary VLAN. Secondary VLANs do not have their own STP instances. The primary VLAN's STP state determines forwarding for all secondary VLANs. This is important for loop prevention.
You've just covered Private VLANs (PVLAN) — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?