How to configure a private VLAN on a Cisco Catalyst switch
Create a community VLAN, assign ports, and configure the private VLAN mapping to isolate traffic between hosts while sharing uplinks.
You will configure a private VLAN (PVLAN) on a Cisco Catalyst switch to isolate hosts within the same broadcast domain while allowing them to share an uplink. These steps apply to Cisco IOS XE and Catalyst 9000 series switches running standard PVLAN features. You will create a primary VLAN, define secondary isolated and community VLANs, and assign ports to enforce traffic restrictions.
Prerequisites
- Access to the switch via console, SSH, or AUX with enable privilege.
- At least one uplink interface (e.g., GigabitEthernet1/0/1) connected to a router or core switch.
- At least two host ports (e.g., GigabitEthernet1/0/2 and GigabitEthernet1/0/3) to test isolation.
- Knowledge of VLAN IDs (primary VLAN 100, secondary VLANs 101 and 102).
Step 1: Enter global configuration mode
Access the switch command-line interface and enter global configuration mode to begin defining VLANs. Type the command to enter privileged EXEC mode, then switch to global configuration mode. This ensures all subsequent commands apply to the entire device.
enable
configure terminalYou will see the prompt change from Switch> to Switch(config)#.
Step 2: Create the primary and secondary VLANs
Define the primary VLAN that will carry traffic between the switch and the uplink. Then create two secondary VLANs: one for isolated hosts and one for a community group. The primary VLAN ID must be higher than any secondary VLAN ID in a PVLAN setup.
vlan 100
name PRIMARY
vlan 101
name ISOLATED
vlan 102
name COMMUNITYAfter creating the VLANs, verify they exist in the running configuration:
show vlan briefExpected output includes the new VLANs with names PRIMARY, ISOLATED, and COMMUNITY.
Step 3: Configure the primary VLAN as a PVLAN
Convert the primary VLAN into a private VLAN by enabling the PVLAN feature. This step links the primary VLAN with the secondary VLANs you created. Without this command, the switch treats VLANs as standard broadcast domains.
vlan 100
private-vlan primaryNext, configure the secondary VLANs as isolated or community types. Assign VLAN 101 as isolated so hosts in this VLAN cannot talk to each other. Assign VLAN 102 as a community VLAN so hosts within it can communicate while still being isolated from the primary VLAN and other communities.
vlan 101
private-vlan isolated
vlan 102
private-vlan communityYou can verify the VLAN types with:
show vlan private-vlanExpected output shows VLAN 100 as primary, VLAN 101 as isolated, and VLAN 102 as community.
Step 4: Map the primary VLAN to secondary VLANs
Link the primary VLAN to the secondary VLANs so the switch knows which ports belong to which group. Use the private-vlan mapping command under the primary VLAN configuration. This mapping defines the relationship between the primary VLAN and its secondary VLANs.
vlan 100
private-vlan mapping 101
private-vlan mapping 102Save the configuration to ensure changes persist after a reboot:
write memoryStep 5: Assign host ports to VLANs
Configure the host ports to belong to the secondary VLANs. Assign GigabitEthernet1/0/2 to the isolated VLAN and GigabitEthernet1/0/3 to the community VLAN. Set the port mode to access and assign the appropriate VLAN ID.
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 101
interface GigabitEthernet1/0/3
switchport mode access
switchport access vlan 102Verify the port VLAN assignments:
show interfaces statusExpected output shows GigabitEthernet1/0/2 in VLAN 101 and GigabitEthernet1/0/3 in VLAN 102.
Step 6: Configure the uplink port
Set the uplink port to trunk mode and allow the primary VLAN and secondary VLANs. This allows traffic from isolated and community VLANs to reach the router or core network. Without this, the uplink will not forward PVLAN traffic correctly.
interface GigabitEthernet1/0/1
switchport mode trunk
switchport trunk allowed vlan 100,101,102Ensure the trunk carries the VLANs by checking:
show interfaces trunkExpected output lists GigabitEthernet1/0/1 as trunking VLANs 100, 101, and 102.
Verify the installation
Test that the isolated host cannot communicate with the community host. Connect two PCs to GigabitEthernet1/0/2 and GigabitEthernet1/0/3. Ping from PC1 to PC2; the ping should fail. Then connect PC1 to the uplink and ping the router; the ping should succeed. This confirms isolation is enforced.
ping 192.168.101.2Expected output shows Success rate is 0 percent when pinging between isolated and community VLANs. Next, verify that hosts within the same community VLAN can communicate. Assign a second port to VLAN 102 and ping between them; the ping should succeed.
show vlan private-vlanExpected output confirms the mapping between primary VLAN 100 and secondary VLANs 101 and 102.
Troubleshooting
If pings fail unexpectedly, check that the uplink port allows all required VLANs. Use show interfaces trunk to confirm VLAN 100, 101, and 102 are allowed. If the uplink is missing a VLAN, add it with switchport trunk allowed vlan add 100,101,102. Verify that the primary VLAN is correctly mapped to secondary VLANs by running show vlan private-vlan. If the mapping is missing, re-enter the private-vlan mapping commands under the primary VLAN configuration. Ensure host ports are set to access mode and assigned to the correct secondary VLAN. If a port is set to trunk mode, change it with switchport mode access and reassign the VLAN. Check for any VLAN pruning or security policies that might block traffic. Review the switch logs with show logging for errors related to PVLAN configuration. If PVLAN features are not supported on the hardware, consult the switch model documentation for compatibility.