Search

Home >> Knowledgebase >> CCNA Security >> How to configure PVLAN (Private VLANs)

How to configure PVLAN (Private VLANs)

Following are the steps required to configure Private VLANs in Cisco Switches. If you are new to the concept of PVLANs (Private VLANs), click the following link to learn what are PVLANs (Private VLANs) - Promiscous, Isolated and Community PVLAN ports.

private vlans

Change the VTP mode to transparent mode.

If the VTP mode is not transparent mode, you may get an error message as shown below. 

OmniSecuSW1(config)#vlan 150
OmniSecuSW1(config-vlan)#private-vlan community
%Private VLANs can only be configured when VTP is in transparent/off modes in VTP version 1 or 2 and in server/transparent/off modes in VTP version 3 when pruning is turned off

To change the VTP mode to transparent mode, follow these steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vtp mode transparent
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

Create Secondary and Primary PVLANs and define the type of PVLANs.

• To create a Secondary PVLAN and define it as Community type, follow these steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vlan 150
OmniSecuSW1(config-vlan)#private-vlan community
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

• To create a Secondary VLAN and define it as Isolated type, follow these steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vlan 250
OmniSecuSW1(config-vlan)#private-vlan isolated
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

• To create a Primary PVLAN and associate Secondary PVLANs with Primary PVLAN, follow these steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#vlan 50
OmniSecuSW1(config-vlan)#private-vlan primary
OmniSecuSW1(config-vlan)#private-vlan association 150,250
OmniSecuSW1(config-vlan)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

Place switch ports in different PVLANs created in previous steps

• To configure a port as Promiscuous port, follow these steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#switchport mode private-vlan promiscuous
OmniSecuSW1(config-if)#switchport private-vlan mapping 50 150,250
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

• To configure a port as Community PVLAN port, follow these steps. Remember we had configured PVLAN 150 as Community type in previous steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/1
OmniSecuSW1(config-if)#switchport mode private-vlan host
OmniSecuSW1(config-if)#switchport private-vlan host-association 50 150
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

 

• To configure a port as Isolated PVLAN port, follow these steps. Remember we have configured PVLAN 250 as Isolated type in previous steps.

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/2
OmniSecuSW1(config-if)#switchport mode private-vlan host
OmniSecuSW1(config-if)#switchport private-vlan host-association 50 250
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#
<< What are PVLANs (Private VLANs)
Best Security practices to protect layer 2 >>
Related Tutorials