# Cisco IOS Private VLANs

#### Network Topology

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/R4Zimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/R4Zimage.png)

#### What is a Private VLAN?

A private VLAN, also known as a private LAN, is a VLAN (Virtual Local Area Network) that is used to segment a larger network into smaller, more secure subnets. It is used to isolate different types of traffic or to separate sensitive or confidential information from other network traffic.

A private VLAN typically consists of three types of ports: promiscuous ports, host ports, and community ports. Promiscuous ports can communicate with all other ports in the private VLAN, while host ports can only communicate with promiscuous ports. Community ports can only communicate with other ports in the same community. This allows for a high level of granularity in terms of controlling access and isolating different types of traffic on a network.

Promiscuous ports, isolated ports, and community ports are different types of ports that are used in private VLAN (PVLAN) environments to control access and isolate different types of traffic on a network.

<div class="flex-1 overflow-hidden" id="bkmrk-promiscuous-ports%3A-t"><div class="flex-1 overflow-hidden"><div class="react-scroll-to-bottom--css-cztrn-79elbk h-full dark:bg-gray-800"><div class="react-scroll-to-bottom--css-cztrn-1n7m0yu"><div class="flex flex-col items-center text-sm h-full dark:bg-gray-800"><div class="w-full border-b border-black/10 dark:border-gray-900/50 text-gray-800 dark:text-gray-100 group bg-gray-50 dark:bg-[#444654]"><div class="text-base gap-4 md:gap-6 m-auto md:max-w-2xl lg:max-w-2xl xl:max-w-3xl p-4 md:py-6 flex lg:px-0"><div class="relative flex w-[calc(100%-50px)] md:flex-col lg:w-[calc(100%-115px)]"><div class="flex flex-grow flex-col gap-3"><div class="min-h-[20px] flex flex-col items-start gap-4 whitespace-pre-wrap"><div class="markdown prose w-full break-words dark:prose-invert light">1. Promiscuous Ports: These ports can communicate with all other ports in the private VLAN, including host and community ports. They are typically used for gateway or router connections and can be used to access shared resources or provide access to other networks.
2. Isolated Ports: These ports can only communicate with the associated promiscuous port and cannot communicate with other isolated or community ports. They are typically used to isolate sensitive or confidential information and prevent it from being accessed by other parts of the network.
3. Community Ports: These ports can only communicate with other ports within the same community and not with other communities or promiscuous ports. They are used to create isolated groups within a private VLAN and to control access to shared resources.

</div></div></div></div></div></div></div></div></div></div></div>In summary, promiscuous ports allow communication with all other ports in the PVLAN, isolated ports are used to isolate sensitive information and prevent it from being accessed by other parts of the network, and community ports are used to create isolated groups within a PVLAN and control access to shared resources.

Private VLANs are often used in enterprise networks, data centers, and service provider environments to segment traffic and provide additional security. They can also be used to isolate guest or IoT traffic, to separate different departments or groups within an organization, or to separate different types of traffic on a network.

#### What is a Private Isolated VLAN?

A private isolated VLAN is a good solution for keeping sensitive or confidential information separate from other network traffic. It can be used for segmenting a network into secure and non-secure zones, for example, to isolate traffic from a secure server or database from the rest of the network. Additionally, it can be used to create secure zones for specific departments or groups within an organization, or to separate different types of traffic on a network, such as guest or IoT traffic. Some things that Private VLANs can be beneficial for include:

<div class="flex-1 overflow-hidden" id="bkmrk-segmenting-a-network"><div class="flex-1 overflow-hidden"><div class="react-scroll-to-bottom--css-mavef-79elbk h-full dark:bg-gray-800"><div class="react-scroll-to-bottom--css-mavef-1n7m0yu"><div class="flex flex-col items-center text-sm h-full dark:bg-gray-800"><div class="w-full border-b border-black/10 dark:border-gray-900/50 text-gray-800 dark:text-gray-100 group bg-gray-50 dark:bg-[#444654]"><div class="text-base gap-4 md:gap-6 m-auto md:max-w-2xl lg:max-w-2xl xl:max-w-3xl p-4 md:py-6 flex lg:px-0"><div class="relative flex w-[calc(100%-50px)] md:flex-col lg:w-[calc(100%-115px)]"><div class="flex flex-grow flex-col gap-3"><div class="min-h-[20px] flex flex-col items-start gap-4 whitespace-pre-wrap"><div class="markdown prose w-full break-words dark:prose-invert light">1. Segmenting a network into secure and non-secure zones: In this scenario, a private isolated VLAN would be used to separate sensitive or confidential information from other network traffic. This could include separating a secure server or database from the rest of the network, or isolating traffic from a specific department or group that handles sensitive information.
2. Isolating guest traffic: In a scenario where guest wireless access is provided, a private isolated VLAN could be used to separate guest traffic from internal network traffic. This would help to prevent guests from accessing sensitive or confidential information on the internal network.
3. Isolating IoT traffic: In a scenario where there are a large number of IoT devices connected to a network, a private isolated VLAN could be used to separate IoT traffic from other network traffic. This would help to prevent IoT devices from accessing sensitive or confidential information on the network and also prevent any potential security risks from these devices.
4. Isolating different types of traffic: In a scenario where there are multiple types of traffic on a network, such as voice and data traffic, a private isolated VLAN could be used to separate the different types of traffic. This would help to ensure that voice traffic, for example, is prioritized over data traffic, and that there is no interference between the different types of traffic on the network.

</div></div></div></div></div></div></div></div></div></div></div>#### Configuration

<div class="flex-1 overflow-hidden" id="bkmrk--0"><div class="react-scroll-to-bottom--css-mavef-79elbk h-full dark:bg-gray-800"><div class="react-scroll-to-bottom--css-mavef-1n7m0yu"><div class="flex flex-col items-center text-sm h-full dark:bg-gray-800"><div class="w-full border-b border-black/10 dark:border-gray-900/50 text-gray-800 dark:text-gray-100 group bg-gray-50 dark:bg-[#444654]"><div class="text-base gap-4 md:gap-6 m-auto md:max-w-2xl lg:max-w-2xl xl:max-w-3xl p-4 md:py-6 flex lg:px-0"><div class="relative flex w-[calc(100%-50px)] md:flex-col lg:w-[calc(100%-115px)]"><div class="flex flex-grow flex-col gap-3"><div class="min-h-[20px] flex flex-col items-start gap-4 whitespace-pre-wrap"><div class="markdown prose w-full break-words dark:prose-invert light">This configuration is being done in GNS3. In order to accomplish this topology in GNS3 you have to have the Cisco IOSvL2 switch image. The scenario is that the company has three network segments (VLANs 100, 200, and 400) that the departments in those VLANs where the PCs can communicate within the designated VLAN and out through the Gateway. However, as a matter of policy, those three VLANs are not allowed to communicate with e other VLANs. Lastly there is a fourth VLAN (VLAN 300) that is in a LAN segment that has been designated as needing a high degree of security. Therefore, VLAN 300 will be set up as a private isolated VLAN. Thus, the PCs in this VLAN will only be able to communicate with the Gateway. They will even be prevented from communications with each other as part of the isolated private VLANs.</div></div></div></div></div></div></div></div></div></div>##### PCs

PC100\_1&gt;ip 192.168.1.1/24 192.168.1.254  
PC100\_2&gt;ip 192.168.1.2/24 192.168.1.254  
PC200\_1&gt;ip 192.168.1.3/24 192.168.1.254  
PC200\_2&gt;ip 192.168.1.4/24 192.168.1.254  
PC300\_1&gt;ip 192.168.1.5/24 192.168.1.254  
PC300\_2&gt;ip 192.168.1.6/24 192.168.1.254  
PC400\_1&gt;ip 192.168.1.7/24 192.168.1.254  
PC400\_2&gt;ip 192.168.1.8/24 192.168.1.254

##### Gateway

Gateway&gt;enable  
Gateway#configure terminal  
Gateway(config)#interface gigabitEthernet 0/0  
Gateway((config-if)#ip address 192.168.1.254 255.255.255.0  
Gateway(config-if)#no shutdown

##### SW1

SW1&gt;enable  
SW1#configure terminal  
SW1(config)#vtp mode transparent  
SW1(config)#vlan 100  
SW1(config-vlan)#private-vlan community  
SW1(config-vlan)#exit  
SW1(config)#vlan 200  
SW1(config-vlan)#private-vlan community  
SW1(config-vlan)#exit  
SW1(config)#vlan 300  
SW1(config-vlan)#private-vlan isolated  
SW1(config-vlan)#exit  
SW1(config)#vlan 400  
SW1(config-vlan)#private-vlan community  
SW1(config-vlan)#exit  
SW1(config)#vlan 500  
SW1(config-vlan)#private-vlan primary  
SW1(config-vlan)#private-vlan association 100,200,300,400  
SW1(config-vlan)#exit  
SW1(config)#interface gigabitEthernet g0/1  
SW1(config-if)#switchport mode private-vlan host  
SW1(config-if)#switchport private-vlan host-association 500 100  
SW1(config)#interface gigabitEthernet g0/2  
SW1(config-if)#switchport mode private-vlan host  
SW1(config-if)#switchport private-vlan host-association 500 100  
SW1(config)#interface gigabitEthernet g0/3  
SW1(config-if)#switchport mode private-vlan host  
SW1(config-if)#switchport private-vlan host-association 500 200  
SW1(config)#interface gigabitEthernet g1/0  
SW1(config-if)#switchport mode private-vlan host  
SW1(config-if)#switchport private-vlan host-association 500 200  
SW1(config)#interface gigabitEthernet g2/0  
SW1(config-if)#switchport mode private-vlan host  
SW1(confi-if)#switchport private-vlan host-association 500 300  
SW1(config)#interface gigabitEthernet g1/3  
SW1(config-if)#switchport mode private-vlan host  
SW1(confi-if)#switchport private-vlan host-association 500 300  
SW1(config)#interface gigabitEthernet g1/2  
SW1(config-if)#switchport mode private-vlan host  
SW1(confi-if)#switchport private-vlan host-association 500 400  
SW1(config)#interface gigabitEthernet g1/1  
SW1(config-if)#switchport mode private-vlan host  
SW1(confi-if)#switchport private-vlan host-association 500 400  
SW1(config)#interface gigabitEthernet g0/0  
SW1(config-if)#switchport mode private-vlan promiscuous  
SW1(confi-if)#switchport private-vlan mapping 500 100,200,300,400  
SW1(confi-if)#end

#### Illustrated Scenarios

Intra-community VLAN Communication will be **<span style="color: rgb(45, 194, 107);">Successful</span>**.

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/fg2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/fg2image.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/PHhimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/PHhimage.png)

Extra-community VLAN Communication will **<span style="color: rgb(224, 62, 45);">Fail</span>**.

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/OTSimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/OTSimage.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/Kbfimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/Kbfimage.png)

Community-isolated Communications will <span style="color: rgb(224, 62, 45);">**Fail**</span>.

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/zaXimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/zaXimage.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/1OSimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/1OSimage.png)

Intra-isolated Communications will **<span style="color: rgb(224, 62, 45);">Fail</span>**.

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/9wTimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/9wTimage.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/a2pimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/a2pimage.png)

Community-gateway Communicatons will be **<span style="color: rgb(45, 194, 107);">Successful</span>**.  
Isolated-gateway Communications will also be <span style="color: rgb(45, 194, 107);">**Successful**</span>.

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/S0Vimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/S0Vimage.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/af2image.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/af2image.png)

[![image.png](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/scaled-1680-/MATimage.png)](https://bookstack.taylorhome.run/uploads/images/gallery/2023-01/MATimage.png)

#### GNS3 File

[private vlan 2.gns3](https://bookstack.taylorhome.run/attachments/19)