Private VLAN is functionality that offers more granule control for single
broadcast domain. There two option for private vlan ports. Ports in private VLAN could be in community vlan or isolated vlan. Differences are that ports in community vlan are able to communicate with
each other and with promiscuous port and ports in private vlan are able to communicate only with ports in promiscuous mode. Promiscuous port is usually port that is uplink to another switch so it
would also trunk port or it is port connected to default gateway device.
Terminology:
Primary VLAN: single broadcast domain.
Secondary Community VLAN: Ports in this VLAN can communicate with each other and with promiscuous
ports
Secondary Isolated VLAN: Ports in this VLAN are able to communicate only with promiscuous
ports.
Config:
!!!! vtp mode transparent!!!!
vlan 600
private-vlan community
vlan 400
private-vlan isolated
vlan 200
private-vlan primary
private-vlan association 400,600
port g0/23 isolated port config:
switchport mode private-vlan host
switchport private-vlan host-association 200 400
ports g0/24 - g0/26 community ports:
switchport mode private-vlan host
switchport private-vlan host-association 200 600
int gig0/20 primary promiscuous port:
switchport mode private-vlan promiscuous
switchport private-vlan mapping 200, 400, 600
switchport mode trunk
PVLAN Edge
int gig0/18
switchport protected
Show cli:
show vlan brief
show vlan private-vlan type
show vlan private-vlan