Private VLAN (PVLAN)
As discussed in the "Protected Ports (PVLAN Edge") section, the PVLAN affection prevents interhost
communications accouterment port-based aegis amid adjoining ports aural a VLAN beyond one or more
switches. PVLAN provides Layer 2 abreast to apprehension hosts from one addition amid ports aural the same
PVLAN.
Access ports in a PVLAN are accustomed to acquaint alone with the assertive appointed router ports. In most
cases, this is the absence aperture IP address. Private VLANs and accustomed VLANs can coexist on the aforementioned switch.
The PVLAN affection allows segregating cartage at Layer 2, thereby transforming a advertisement articulation into a
nonbroadcast multi-access-like segment. To anticipate interhost and interserver communication, PVLAN can be
used calmly because the cardinal of subnets or VLANs is abundantly reduced, although the anecdotal approach
within a distinct arrangement articulation is still achieved. The cardinal is bargain because there is no charge to create
extra subnet/VLANs.
Note
The PVLAN affection is not accessible on all Cisco switches. Refer to Table 4-1 for a account of supported
platforms.
Table 4-1. VLAN Abutment on Catalyst Switches
Platform Software Adaptation Abandoned VLAN PVLAN Edge
(Protected
Port)
Community
VLAN
Catalyst 8500 Not Supported — — —
Catalyst
6500/6000—CatOS
on Supervisor and
Cisco IOS on MSFC
5.4(1) on Supervisor
and 12.0(7)XE1 on
MSFC
Yes N/A Yes
Catalyst
6500/6000—Cisco
IOS System
software
12.1(8a)EX,
12.1(11b)E1
Yes N/A Yes
Catalyst
5500/5000
Not Supported — — —
Catalyst
4500/4000—CatOS
6.2(1) Yes N/A Yes
Catalyst
4500/4000—Cisco
IOS
12.1(8a)EW Yes N/A 12.2(20)EW
Catalyst 3750 12.2(20)SE—EMI Yes 12.1(11)AX Yes
Catalyst 3750
Metro
12.1(14)AX No Yes No
Platform Software Adaptation Abandoned VLAN PVLAN Edge
(Protected
Port)
Community
VLAN
Catalyst 3560 12.2(20)SE—EMI Yes 12.1(19)EA1 Yes
Catalyst 3550 12.1(4)EA1 No Yes Not Currently
Supported
Catalyst 2970 12.1(11)AX No Yes No
Catalyst 2955 12.1(6)EA2 No Yes No
Catalyst 2950 12.0(5.2)WC1,
12.1(4)EA1
No Yes Not Currently
Supported
Catalyst
2900XL/3500XL
12.0(5)XU (on 8MB
switches only)
No Yes No
Catalyst 2948G-L3
/ 4908G-L3
Not Supported — — —
Catalyst
2948G/2980G
6.2 Yes N/A Yes
Catalyst 2940 12.1(13)AY No Yes No
Catalyst 1900 Not Supported — — —
The account that follows describes three types of PVLAN ports, as apparent in Figure 4-1a:
Promiscuous: A abandoned anchorage can acquaint with all interfaces, including the abandoned and
community ports aural a PVLAN. The action of the abandoned anchorage is to move cartage amid ports in
community or abandoned VLANs. It can use admission lists to analyze which cartage can canyon amid these
VLANs. Alone one abandoned anchorage is accustomed per distinct PVLAN, and it serves all the association and
isolated VLANs in the Private VLAN.
Isolated: An abandoned PVLAN anchorage has complete Layer 2 allegory from all the added ports aural the
same PVLAN, but not from the abandoned ports. Cartage from the abandoned anchorage is forwarded alone to the
promiscuous ports and none other.
Community: Association ports are logically accumulated groups of ports in a accepted association and can
pass cartage amid themselves and with abandoned ports. Ports are afar at Layer 2 from all other
interfaces in added communities or abandoned ports aural their PVLAN.
Figure 4-1a. PVLAN Components
It is accessible for abandoned and association anchorage cartage to access or leave the about-face through a block interface
because trunks abutment VLANs accustomed cartage amid isolated, community, and abandoned ports. Hence,
PVLAN ports are associated with a abstracted set of VLANs that are acclimated to actualize the PVLAN structure. A PVLAN
uses VLANs in afterward three ways:
As a primary VLAN: Carries cartage from a abandoned anchorage to isolated, community, and other
promiscuous ports in the aforementioned primary VLAN.
As an abandoned VLAN: Carries cartage from abandoned ports to a abandoned port. Ports in the abandoned VLAN
cannot acquaint at Layer 2 with any added anchorage aural the Private VLAN (either addition community
VLAN anchorage or a anchorage in the aforementioned abandoned VLAN). To acquaint with added ports, it charge go through the
promiscuous port.
As a association VLAN: Carries cartage amid association ports aural the aforementioned association VLAN and
to abandoned ports. Ports in the association VLAN can acquaint at Layer 2 with anniversary added (only
within the aforementioned association VLAN) but cannot acquaint with ports in added association or isolated
VLANs. To acquaint with added ports, they charge go through the abandoned port. Multiple community
VLANs can be configured in a PVLAN.
Figure 4-1a depicts the basal PVLAN apparatus and the altered types of PVLAN ports.
The abandoned and association VLANs are additionally alleged accessory VLANs. PVLANs can be continued beyond multiple
devices by trunking the primary, isolated, and association VLANs to added accessories that abutment PVLANs.
In summary, a Private VLAN contains three elements: the Private VLAN itself, the accessory VLANs (known as
the association VLAN and abandoned VLAN), and the abandoned port.
Figure 4-1b summarizes the PVLAN apparatus and cartage breeze behavior amid the PVLAN ports.
Figure 4-1b. PVLAN Cartage Breeze Policies
[View abounding admeasurement image]
Table 4-1 shows a account of Cisco switches that abutment the PVLAN affection with the corresponding software version.