Example PVLAN Configuration

Consider the following PVLAN network scenario:

  • VLAN 300 has been partitioned into a PVLAN (private VLAN), across two switches, consisting of the following VLANs and ports:

    • The primary VLAN (VLAN 300) with the following ports:

      • One promiscuous port connected to a router.

      • One port trunk configured as an interswitch link.

    • One isolated VLAN (VLAN 301) with two ports.

    • Two community VLANs (VLAN 302 and VLAN 303), each with two ports.

  • The two switches also carry normal VLAN traffic for VLAN 5 and VLAN 6.

At the Layer 2 level in the PVLAN:

  • The promiscous port can communicate with all the other ports, including ports in the isolated VLAN and through interswitch link (ISL) ports (PVLAN member ports).

  • The community VLAN ports can communicate with the promiscuous port or other ports in the same community VLAN. The community VLAN ports cannot communicate with ports in any isolated VLAN or in other community VLANs. Traffic from community VLAN ports can traverse through interswitch link (ISL) ports (PVLAN member ports) to other ports belonging to the same community VLAN.

  • The isolated VLAN ports can communicate with the promiscuous port only. However, traffic from the isolated VLAN ports can traverse through interswitch link (ISL) ports (PVLAN member ports) to a switch that has a promiscuous port.

Example commands

The following example lists the commands used to configure the PVLAN and interswitch links on one of the switches in the network scenario.

In the example, the number sign (#) delimits comments to you--the reader. Do not enter comments as commands.

# Configure the normal VLANs #
vlan 5
vlan 6
vlan 300

# Configure the normal VLAN host access ports #
vlan 5 untagged 1/11-1/12
vlan 6 untagged 1/13-1/14

# Configure VLAN 300 as a private VLAN #
vlan 300 private-vlan primary
vlan 300 private-vlan isolated 301
vlan 300 private-vlan community 302-303
		 
# Configure port A2 as a promiscuous port #
# private-vlan promiscuous is the default configuration #
# for all primary VLAN ports, so you do not have to specify it explicitly  #
vlan 300 untagged A2

# Configure the isolated host access ports #		 
vlan 301 untagged 1/8-1/9
	
# Configure the community host access ports #		 
vlan 302 untagged 1/17-1/18
vlan 303 untagged 1/19-1/20
	
# Configure interswitch links A3 and A4 as a trunk port group to carry both PVLAN #
# and normal VLAN traffic #

trunk 1/A3,1/A4 trk1 lacp
vlan 300 tagged trk1
vlan 5 tagged trk1
vlan 6 tagged trk1
no interface trk1 private-vlan promiscous

# private-vlan promiscuous is the default configuration for primary VLAN ports #
# You configure ports as interswitch links by #
# removing the promiscuous port configuration #