Private VLANs only govern Layer 2 communications. They do not force traffic to the router or firewall. Two hosts on the same subnet but separated by Private VLANS cannot communicate unless permitted. Traffic between the two is either enabled or disabled, it cannot be filtered like a firewall. Private VLANs must be trunked between switches in order to communicate between switches. I started to create detailed instructions, but found it well documented elsewhere on the net.

Here are few notes about Private VLANs
Enables Sticky ARP
Every port on that VLAN must be configured for Private VLANs
Ports come in three types

  • Isolated – can only cummicate off-vlan
  • Community – can communicate to other designated ports in the same VLAN
  • Promiscuous – can communicate with any port

For more info see the PVLAN article from internetworkexperts.com and Private VLAN trunk configuration at Cisco

Some switches do not fully support private VLANs, but support a similar protected ports option which is simpler to configure. Packetlife has a complete description of protected ports.

Related posts:

  1. Working with VLANS on Cisco SwitchesHistorically, creating multiple networks required multiple switches, but VLANs (Virtual...
  2. Configure Port Mirrors on Cisco SwitchesSwitches make network troubleshooting a bit more difficult because not...
  3. Configure VLAN trunks on Cisco SwitchesVLAN trunks allow multiple networks to pass over a single...
  4. Configure multiple Cisco ports in a single command (How-to)Configuring all the ports in a new switch or router...
  5. Troubleshoot VLAN trunksThe syntax for setting up VLAN trunks on Cisco switches...

Related posts brought to you by Yet Another Related Posts Plugin.