How to configure PVLAN in a Cisco Catalyst switch that runs Catalyst OS system software


Core issue

A Private VLAN (PVLAN) is a VLAN with configuration for Layer 2 (L2) isolation from other ports within the same broadcast domain or subnet.

Assign a specific set of ports within a PVLAN to control access among the ports at L2. PVLANs and normal VLANs can be configured on the same switch.

The three types of PVLAN ports are:

  • Promiscuous
  • Isolated
  • Community


To create a PVLAN, perform these steps in privileged mode:

  1. Issue the set vlan vlan_num pvlan-type primary command to create the primary VLAN.  

  2. Issue the set vlan vlan_num pvlan-type {isolated | community} command to set the isolated or community VLAN(s).  

  3. Issue the set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num}mod/ports command to bind the isolated or community VLAN(s) to the primary VLAN, and to associate the isolated or community port(s) to the private VLAN.  

  4. Issue the set pvlan mapping primary_vlan_num {isolated_vlan_num | community_vlan_num} mod/ports command to map the isolated or community VLAN to the primary VLAN on the promiscuous port.  

  5. Issue the show pvlan [vlan_num] and show pvlan mapping commands to verify the private VLAN configuration.


For more information, refer to the Configure the Primary and Isolated VLANs section of Configuring Isolated Private VLANs on Catalyst Switches.