Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Private VLAN basic question

Hi friends,

I have a basic question on Communication between two different community vlans.

If i have a switch called S with two community vlans viz. A and B and two promiscious ports connecting to a non-Cisco switch (that does not understand private vlans). Can this non-Cisco switch achieve communication between two distint community vlans? Or do i need only a Layer 3 device to achieve inter-community vlan communication?

Thanks a lot


New Member

Re: Private VLAN basic question

Hi Gautam,

While all the switches (Cisco or not) can pass traffic to each other for their respective VLAN's, to my knowledge you will require a Layer 3 device to pass data between VLANs, whether Cisco or otherwise.

Hope this helps!

Hall of Fame Super Silver

Re: Private VLAN basic question

Hello Gautam,

if the non Cisco switch is a L2 only switch being the community vlans different vlan numbers it will not create a backdoor between them: they are separate broadcast domains.

If it has L3 capabilities it could provide a way to an attacker to get access from one community vlan to the other.

However, a L2 switch has at least a management IP avoid to have it in the private vlans' IP subnet.

If it allows inter-vlan bridging like it is possible on a C3550 or other switch it can be configured to make a bridge so defeating the private Vlans deployment.

If someone connects with a crossover cable one port in vlan x and one port in vlan y on the L2 standard switch the same result is achieved of defeating the private vlans.

Being vlan x and y the two community vlans.

So disable all the unused ports and put them on a non routed vlan.

Private Vlans try to segment a single IP subnet in multiple broadcast domains under the control of the switch.

A l3 device cannot have overlapping ip addresses on different L3 interfaces.

Hope to help


New Member

Re: Private VLAN basic question

Hi Giuseppe,

I have one mroe question, if we configure separte private vlan as community VLAN for example 346 and 355 and connect two differnt devices to a primary vlan 309 which is Layer vlan, will vlan 346 and vlan 355 will be able to communicate to each other.

As i was goning throug the CISCO doc and came across the following line which says community vlan is doing isolation at layer 2 but allow communication at layer 2. This statement is very ambigious to me. . As without layer 2 information how there will be communication at layer 3.

Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.

Please suggest