Private VLANs only govern Layer 2 communications. They do not force traffic to the router or firewall. Two hosts on the same subnet but separated by Private VLANS cannot communicate unless permitted. Traffic between the two is either enabled or disabled, it cannot be filtered like a firewall. Private VLANs must be trunked between switches in order to communicate between switches. I started to create detailed instructions, but found it well documented elsewhere on the net.

Here are few notes about Private VLANs
Enables Sticky ARP
Every port on that VLAN must be configured for Private VLANs
Ports come in three types

  • Isolated - can only cummicate off-vlan
  • Community - can communicate to other designated ports in the same VLAN
  • Promiscuous - can communicate with any port

For more info see the PVLAN article from internetworkexperts.com and Private VLAN trunk configuration at Cisco

Some switches do not fully support private VLANs, but support a similar protected ports option which is simpler to configure. Packetlife has a complete description of protected ports.

No related posts.