Today I tried implementing Private VLANs for the first time.
Small explanation for PVLANs: with Private VLANs, you can provide segmentation of your existing VLAN, providing isolation and security for end devices. Devices put on an isolated port can only talk with promiscuous ports: usually the port going towards the gateway router. Community ports can talk with the promiscuous port and all other ports in their own community.
The illustration below is what I have set up to test it.
The switch is a Cisco 3560 series, capable of PVLANs, currently configured with VLAN 1 on all ports. This means that the IP Phone and the computer are in the same VLAN. Not a good practice, but since the router (provided by the ISP) does not support multiple VLANs and trunking, that’s what I have to work with. So to provide some form of security to the IP Phone, I’m going to put it in it’s own isolated PVLAN. The port to the router will be the promiscuous port. This way, the IP Phone will only be able to communicate with the gateway, segmenting it from the rest of the network.
The IP Phone has IP 192.168.0.106 and is connected to FastEthernet 0/2. The router is on FastEthernet 0/1. Before we start implementing the PVLAN, it can be pinged from the computer connected on FastEthernet 0/3.
Warning! Always configure PVLANs through the console port, or through a switchport that will not be affected by the PVLANs, otherwise you’ll lose connectivity during configuration.
First thing to do is putting VTP in transparent mode, as VTP version 1 and 2 don’t support PVLANs:
Switch(config)#vtp mode transparent
Next, we implement the PVLANs on the switch. I’ve choosen VLAN 4 as the promiscuous VLAN. VLAN 41 will be set on the port going to the IP Phone, the isolated port. Finally, all other ports will be put into PVLAN 42, a community VLAN, so all other devices can communicate with each other. The naming is just to make it easy in case of troubleshooting.
Switch(config)#vlan 4
Switch(config-vlan)#name PRIMARY
Switch(config-vlan)#exit
Switch(config)#vlan 41
Switch(config-vlan)#name ISOLATED
Switch(config-vlan)#exit
Switch(config)#vlan 42
Switch(config-vlan)#name COMMUNITY
Switch(config-vlan)#exit
Returning to VLAN 4 and binding all PVLANs together:
Switch(config)#vlan 4
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 41,42
Switch(config-vlan)#exit
Switch(config)#vlan 41
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#vlan 42
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
The creation of the VLANs has to be done first, otherwise the ‘association’ command will not work. Once this is done, we start binding ports to PVLANs.
First the port towards the router:
Switch(config)#interface f0/1
Switch(config-int)#switchport mode private-vlan promiscuous
Switch(config-int)#switchport private-vlan mapping 4 41,42
Then the isolated port:
Switch(config)#interface f0/2
Switch(config-int)#switchport mode private-vlan host
Switch(config-int)#switchport private-vlan host-association 4 41
And last, the community ports:
Switch(config)#interface range f0/3 – 24
Switch(config-int)#switchport mode private-vlan host
Switch(config-int)#switchport private-vlan host-association 4 42
That’s it. I can’t ping the IP Phone anymore, but I still have internet connectivity. Calling from the IP Phone works as usual.
That’s another task completed on my check-list towards CCNP!
Reggle 
Dude, Which Cisco Switches can we perform PVLAN praticals? I found that we can not perform PVLAN and VACLs in Cisco 2950 Switches! But is it possible that if we update IOS version?
Hi Yogesh,
Currently only the 3560 and 3750 switches fully support PVLANs. The 2950 has no support for this, even with updates.
See this link for more information:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
Thanks a lot Reggle for the information !! Can you tell me which is the latest IOS version for Cisco 2950 Switch? And How can I update??
The latest version seems to be 12.1(22).EA14. Updating is done via TFTP. I’m not going to explain in full detail in this reply, but you can Google ‘upgrading Cisco router’ or the like, plenty of tutorials out there.
Hi Reggle,
Great post. I have a question: does introducing PVLANs on switches that currently only have standard VLANs impact the non-PVLANs ports in any way? I’ve found several examples online of PVLAN configuration, but it’s usually across the entire network, and I haven’t found PVLANs and VLANs co-existing on the same switches on any examples.
In practical terms, I want to replace our existing AP infrastructure (because it’s old), but I also want to have the clients isolated from each other. My current setup has no security (it’s all one big wireless network), so I want to implement PVLANs only on the AP ports. Can I just create one additional Primary PVLAN and one Isolated PVLAN and assign that to all ports?
And in that case, does any configuration need to be done on the trunk ports?
Hi Giovanni,
I can confirm that implementing PVLANs does not impact existing infrastructure. Adding a PVLAN (well, at least two numbers of course) is transparent for other VLANs. Just add both on the switch trunks.
Also, be sure to what you want: if you have lightweight access points with tunnels towards a central controller, PVLANs will not enforce user separation. The central controller must do this.
If you have standalone access points, PVLAN will prevent clients from reaching each other between different access points, but not on the same access point.
Greetings!