Sometimes it is necessary to have policy and separate your Vlan like below diagram. In this diagram, WWW and FTP server have communication together, so we put in community. On the other hand, SQL server shouldn’t be seen by FTP or WWW server, so, we put on isolated. In fact, there are three types of sub Vlan in Private Vlan:

  • Promiscuous: can be reached by sub Vlan

  • Isolated : can not be seen by other Vlans

  • Community: only can see community member

Enter a caption for this image (optional)

Imagine we want to make primary vlan for these sub Vlan. We make a Vlan “100” as a primary:

SW# conf t
SW(config)#vtp mode transparent
SW(config)#vlan 100
SW(config-vlan)# private-vlan primary

Then, make sub Vlan for www and FTP as 101 and SQL as 102

SW(config)#vlan 101
SW(config-vlan)# private-vlan community
SW(config)#vlan 102
SW(config-vlan)# private-vlan isolated

After that, we put www, FTP and SQL in primary Vlan:

SW(config)#vlan 100
SW(config-vlan)#private-vlan association 101,102

Next, we assign interface to each Vlan

SW(config)#int fa0/1
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/2
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 101
SW(config)#int fa0/3
SW(config-if)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 100 102
SW(config)#int fa0/10
SW(config-if)# switchport mode private-vlan promiscuous
SW(config-if)# switchport private-vlan mapping 100 101,102

To use show command:

SW# show vlan private-vlan