Private VLAN

  • Members of an isolated VLAN can only communicate with the promiscuous ports mapped
  • Members of a community VLAN can communicate with members of the same community and the promiscuous ports.

A two-way community acts like a regular community but has the additional aspect of allowing access control lists to check traffic going to and from (two ways) the VLAN and provides enhanced security within a private VLAN.

To configure PVLAN, VTP should be in transparent mode.

  1. Create primary private-vlan
  2. Create isolated/community VLAN
  3. Associating isolated/community VLANs to primary
  4. Configure spanning-tree mode and associating ports to PVLANs
  5. Mapping PVLANs under the primary VLAN interface
  6. To verify: show interface [primary PVLAN] private-vlan mapping

IPExpert, Vol.1, 2.28

You must configure VTP to transparent mode before you can create a private VLAN.
Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches.


SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan primary
SWITCH(config)# vlan secondary_number
SWITCH(vlan-config)# private-vlan [isolated | community]
SWITCH(config)# vlan primary_number
SWITCH(vlan-config)# private-vlan association secondary_number_list [add secondary_number_list]
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan host
SWITCH(config-if)# switchport mode private-vlan host-association primary_number secondary_number
SWITCH(config)# interface type mod/port
SWITCH(config-if)# switchport
SWITCH(config-if)# switchport mode private-vlan promiscuous
SWITCH(config-if)# switchport mode private-vlan mapping primary_number secondary_number
SWITCH(config)# interface primary_number
SWITCH(config-if)# ip address address mask
SWITCH(config-if)# private-vlan mapping primary_number secondary_number
show vlan private-vlan type
show interface private-vlan mapping
show interface type mod/port switchport
Share this!


CDP v2 advertises VTP domain too. To disable this, no cdp  advertise-v2

VTP version can’t be changed on Client mode.

VTP Pruning is only implemented on VTP Server nodes.

VTP Pruning eligible-list is configured on TRUNK interfaces (switchport trunk pruning … )

VLANs which are not mentioned in the pruning eligible-list, will be never pruned.

VTP pruning can be only modified in server mode.

VTP pruning is propagated to clients too.

VTP mode can’t be server when existing VLANs exists.

Version-dependent transparent mode

In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because only one domain is supported

in the Supervisor engine software, VTP version 2 forwards VTP messages in transparent mode without checking the version.

Share this!

802.1Q Tunneling (Q-in-Q)

interface FastEthernet0/1
 switchport access vlan 100
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 no cdp enable

The access VLAN which is here called Tunnel-Tag, must exist in the transit path.

In a scenario where EtherChannel is implemented between two 802.1q customers and there are more than 1 switch in the transit path, and each CE switch has for example 3 different links to CE node, each PE-to-CE should be assigned to a different VLAN.

Also, the transit path should be in form of TRUNK links, and informed of the Tunnel-Tag VLANs.

Share this!