Understanding PVLAN Trunk Types

As I mentioned in previous article, the PVLAN trunk feature is not widely available. However they are mentioned in the SWITCH materials. Therefore, I wanted to briefly mention how these may be used. In many cases, I find a picture is worth a million words. This happens to be one of those cases. Therefore, I provided a simple diagram for reference.

The two special types of trunks shown above are discussed in this article. The one on the right is an isolated PVLAN trunk, while the one on the left is a promiscuous PVLAN trunk. By now, most PacketU readers understand that PVLANs have isolated, community and promiscuous ports. These are typically similar to access ports in regard to VLAN tagging.

In a typical PVLAN configuration, the trunks connecting two PVLAN aware switches are constructed using normal 802.1q trunks (switchport mode trunk). This is the proper configuration only when both devices that understand that VLANs are private and should be handled accordingly. However, cases may arise when trunks need to be created between devices that lack the support for PVLANs. This is where these special PVLAN trunks come into play.

The function of these special Private VLAN trunks is that of merging the primary and secondary VLANs. These special trunk types must be either promiscuous or isolated. In this sense, promiscuous trunk ports behave a lot like normal promiscuous PVLAN ports. Like a typical promiscuous port, devices connected to the promiscuous PVLAN trunk port can communicate with all devices in the PVLAN. The only real difference is that frames can be tagged. Additionally, the interface merges the primary and secondary VLANs into a common VLAN ID.

Isolated PVLAN trunks function exactly the same in regards to tagging. However, devices connected to this type of trunk port can only communicate with promiscuous PVLAN ports. This communication can be with devices connected to regular promiscuous PVLAN ports or a promiscuous PVLAN trunk port.

The following is a comprehensive list of the port types and functions found in private VLAN configurations.

PVLAN Access Ports

  • Promiscuous Port — communication can be established with all other ports in the private vlan
  • Community Port — communication can be established with other ports in the same community and the promiscuous ports
  • Isolated Port — communication can only be established with the promiscuous ports

Trunk Ports

  • Regular Trunk Port (switchport mode trunk) — communicates VLAN information between two switches using 802.1q tagging. In regards to private VLANs, used when both devices understand PVLANs
  • Promiscuous PVLAN Trunk — Functions like a promiscuous port but uses tagging and merges applicable VLANs into a common VLAN ID
  • Isolated PVLAN Trunk — Functions like an isolated port but uses tagging and merges applicable VLANs into a common VLAN ID
PVLAN trunks are not widely supported or documented. Due to their inclusion in the CCNP Switch materials, I wanted to expand on the official documentation for clarification. This article explains the concepts around these special trunk ports. I would strongly caution anyone who may be planning to implement these features to check the Cisco feature navigator to verify support on the applicable platform and software version.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design. Bookmark the permalink.

1 Response to Understanding PVLAN Trunk Types

  1. Rey says:


    on the PVLAN aware switch trunk link to the NON-PVLAN aware switch trunk link, what would be the config snippet you would use from the following:
    – on trunk link for the isolated PVLAN trunk on the PVLAN aware switch
    – on trunk link for the isolated PVLAN trunk on the NON-PVLAN aware switch

    I understand that the switchports for the non-pvlan switch would be configured as “protected” ports and they would be associated to a vlan access port, but are configured to use the isolated vlan ID the same as the secondary isolated vlan id configured on the PVLAN switch?
    If yes, then how to the trunk link configurations look like between the pvlan switch and non-pvlan switch?


Comments are closed.