Showing results for 
Search instead for 
Did you mean: 

simple DMZ private vlan config

Frequent Contributor
Frequent Contributor

Hi All

I am looking at setting up private vlans for my DMZ so hosts cannot talk directly to each other, they only need to talk to the firewall.

We have a HA firewall and 2 switches, each firewall connects to a separate switch, and the switches have a trunk port to each other.

What is the simpliest way to do this?

could I just used the switchport protected (pvlan edge type) command on the servers connected in the DMZ and that would be enough? or do I need to set up the full blown private vlan setup with primary and secondary vlans? if so how would that look?



3 Replies 3


you could put the hosts into separate vlans then on a routed interface on the switch (if its L3) or the firewalls, you could implement ACLs - first deny to dest of other vlans then permit any

or you could implement pvlans on the switches

never seen switchport protected used much in prodution networks

regards, mk

please rate if helpful or solved :)


That is not really what we are looking to achieve.

Actually come to think of it, the actual servers will be on a blade enclosure which there will be multiple servers going through the same port, how would we isolate these from each other if coming off the same port to a blade switch?


if servers are in different vlans - then potentially a trunk port to the switch with SVIs for the different vlans?

regards, mk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers