Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

private vlans or vlan access lists


I was just wondering what is better to be used on a network.

A private vlan with different communities or restricting access to routed vlans by placing access-lists.



Everyone's tags (2)

Hey,VACL is more flexible


VACL is more flexible that private vlans as they come with lots of do's and dont's.




Cisco Employee

Hi Dear, Below are some

Hi Dear,

 Below are some thought on both the topic now you can choose which one would be easy for you:-

PVLANs provide layer 2 isolation between ports within the same broadcast domain. There are three types of PVLAN ports:
Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
VACLs provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN. Unlike regular Cisco IOS ACLs that are configured on router interfaces and applied on routed packets only, VACLs apply to all packets.

Difference between it:
PVLANs are best for when you want to segment within the same switch, whereas VACLs will apply to an entire VLAN as a whole.
Also, if you deployed VACLs across an entire VLAN to perform the function of PVLANS the scalabitliy and management would be a nightmare.
Blocking by MAC address would require you to know the MAC addresses of all the devices that would connect to your switches.
Blocking by IP address would require static assignment of all IP addresses on the network. Becaue if they were to change then that host likely wouldn't be able to access the resources it needed anymore. You can't block by subnet b/c everything in that VLAN (if you are using best practice) would be on the same subnet. So you would have to block by individual host addresses.




CreatePlease to create content