Private VLANs partitions a regular VLAN domain into subdomains. Such a subdomain is created when a primary VLAN is paired with a secondary VLAN. Only a switch in VTP Transparent mode supports Private VLANs
Primary VLAN
To set a VLAN as Primary VLAN, use:
1
Sw(config)#vlan VLAN-ID
2
Sw(config-vlan)#private-vlan primary
Copied!
After the secondary VLANs are configured, they are associated with the primary VLAN, using the following confing form withing the primary vlan:
1
Sw(config)#private-vlan association [add|remove] SECONDARY-VLAN-LIST
Copied!
To verify, use:
1
Sw# show vlan private-vlan [type]
Copied!
Secondary VLANs
Secondary VLANs can be condfigured as Isolated or as Community VLANs. Private VLANs work over different switches, as long as the Private VLANs and the primary VLANs are carried over the trunk links.
Isolated VLANs
Ports within the isolated VLAN cannot communicate with each other at Layer.
1
Sw(config-vlan)# private-vlan isolated
Copied!
Community VLANs
Ports within the Community VLAN can communicate with ports in the same Community VLAN but not with ports in other Community VLANs or with ports in the Isolated VLAN.
1
Sw(config-vlan)# private-vlan community
Copied!
Private VLAN Ports
To configure a port as part of a private VLAN, use:
Promiscuous Ports
A promiscuous ports belongs to the primary VLAN and can communicate with all interfaces in the primary VLAN, including ports in the isolated and community secondary VLANs. To set up a promiscuous port, use:
You can alos map the VLANs to a isolated port, using:
1
Sw(config-if)# switchport private-vlan association host PRI-VLAN-ID SEC-VLAN-ID
Copied!
Community Ports
It is a port that is part of a Community Secondary VLAN and it can only communicate with other ports in the same Community or with promiscuous ports.To set a community port, use: