Private VLANs (PVLANs) provide Layer 2 isolation between ports within
the same VLAN. The table in this document summarizes the support of the PVLAN
feature in Cisco Catalyst switches.
Networks with Private VLANs and VLAN Access Control Lists for more
information on how to understand and implement networks that use PVLANs. Click
on the Catalyst switch in the table in this
document. This will provide the step-by-step configuration guide on how to
configure PVLANs on specific Catalyst switches.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware
Technical Tips Conventions for more information on document
This table provides information about the PVLAN feature support in
Cisco Catalyst switches:
The PVLAN edge (protected port) is a feature that has only local
significance to the switch, and there is no isolation provided between two
protected ports located on different switches. A protected port does not
forward any traffic (unicast, multicast, or broadcast) to any other port that
is also a protected port in the same switch. Therefore, it provides isolation.
Traffic cannot be forwarded between protected ports at Layer 2. All traffic
passing between protected ports must be forwarded through a Layer 3
PVLAN ports cannot be trunk ports, cannot channel, cannot have
dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN)
PVLAN is supported on sc0 in the Catalyst 4500/4000 and Catalyst
6500/6000 that run CatOS, in software release 6.3(1) and later.
Four MB Catalyst 2900XL Series Switches do not support the protected
port feature, as these cannot be upgraded to Cisco IOS 12.0(5) XU or later
code. The latest version of code that runs on the Catalyst 2900XL is Cisco IOS
Two-way community VLANS in PVLANs are currently not supported on the
Catalyst 4500/4000 Series Switches that run Cisco IOS. Refer to
Private VLANs for additional restrictions.
PVLAN support on Firewall Services Module (FWSM) begins in software
version 3.1. If you run a software version earlier than 3.1, the only possible
workaround is to connect the promiscuous port of the PVLAN using the crossover
cable to a regular access port. Then, make a firewall for the VLAN of that