Private-vlan and protected ports

Private-vlan and protected ports

by Cyrus Lok on Wednesday, August 18, 2010 at 11:32am

Private vlan introduction

If you want to limit the communication among devices under the same subnet you can configure private vlan to achieve this objective.

One private vlan primary can service only one isolated vlan and many community vlans.

There are two types of secondary vlans:



Community vlan can communicate with one another under the same community vlan and can communicate the device via promiscuous port, community vlan however cannot communicate with another isolated vlan and a different community vlan.

Isolated vlan cannot communicate with any device either in the same isolated vlan or other community vlan, it can only communicate with device connected to the promiscuous port.

If you have a router, devices from remote network can enter the isolated vlan via promiscuous port, to prevent remote network from accessing isolated vlans or community vlan you can configure a router acl (standard) either in SVI or router interface as inbound.

To use private-vlan VTP mode must be in transparent.

Private vlan is only supported by 3560, 3750, 4500 and 6500 series.For access class switches such as 2960 protected port is supported.

Protected port is similar to private vlan, but it is a lite version of  pvlan.

Configuring private vlan

Scenario: NTP server connected to fa0/1, 4 pcs connected from fa0/2to fa0/4. Pcs can only sync their time with the NTP server but the 4PCs should never communicate with one another. The devices are connected to a Cat3560E multilayer 8-port switch. All these devicesare in the same broadcast domain.

Step 1:

Change VTP to transparent


vtp mode transparent

Step 2:

Create a primary private vlan:


vlan 10

name primary-vlan

private-vlan primary


Step 3:

Create secondary private vlan (isolated):


vlan 200

name isolated-vlan

private-vlan isolated


Step 4:

Map isolated vlan with primary vlan


vlan 10

private-vlan association 200


Step 5:

Assign fa0/1 to promiscuous port:



switchport private-vlan mapping 10 200

switchport mode private-vlan promiscuous


Step 6:

Assign fa0/2 to fa0/4 as isolated vlans, and associate isolated vlan to primary vlan.


interface range fa0/2 – 4

switchport mode private-vlan host

switchport private-vlan host-association 10 200


Configuring protected ports

Using the previous objective here’s the steps:

Step 1:

Configure fa0/2 – 4 as protected port


interface range fa0/2 – 4

switchport host

switchport mode protected


Layer2 frames from protected port to protected port will be discarded; unicast, multcast and broadcast will all be dropped, CDP/LLDP all will be dropped as well.

Protected to unprotected and unprotected to unprotected ports can communicate.

Protected port can only work in a flat network environment, if there’s a router or layer3 device, traffic from protected to protected is possible.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s