The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Contents
This chapter contains the following sections:
PVLANs achieve device isolation through the use of three separate port designations, each having its own unique set of rules that regulate each connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain.
A PVLAN domain consists of one or more pairs of VLANs. The primary VLAN makes up the domain; and each VLAN pair makes up a subdomain. The VLANs in a pair are called the primary VLAN and the secondary VLAN. All VLAN pairs within a private VLAN have the same primary VLAN. The secondary VLAN ID is what differentiates one subdomain from another. See the following figure.
PVLANs can span multiple switches, just like regular VLANs. Inter-switch link ports do not need to be aware of the special VLAN type and carry frames tagged with these VLANs just like they do any other frames. PVLANs ensure that traffic from an isolated port in one switch does not reach another isolated or community port in a different switch even after traversing an inter-switch link. By embedding the isolation information at the VLAN level and by transporting it with the packet, it is possible to maintain consistent behavior throughout the network. The mechanism that restricts Layer 2 communication between two isolated ports in the same switch also restricts Layer 2 communication between two isolated ports in two different switches.
Within a PVLAN domain, there are three separate port designations. Each port designation has its own unique set of rules that regulate the ability of one endpoint to communicate with other connected endpoints within the same private VLAN domain. The three port designations are as follows:
The primary VLAN encompasses the entire PVLAN domain. It is a part of each subdomain and provides the Layer 3 gateway out of the VLAN. A PVLAN domain has only one primary VLAN. Every port in a PVLAN domain is a member of the primary VLAN. The primary VLAN is the entire PVLAN domain.
A promiscuous port can talk to all other types of ports; it can talk to isolated ports as well as community ports and vice versa. Layer 3 gateways, DHCP servers, and other trusted devices that need to communicate with the customer endpoints are typically connected with a promiscuous port. A promiscuous port can be either an access port or a hybrid/trunk port according to the terminology presented in Annex D of the IEEE 802.1Q specification.
Secondary VLANs provide Layer 2 isolation between ports in a PVLAN domain. A PVLAN domain can have one or more subdomains. A subdomain is made up of a VLAN pair that consists of the primary VLAN and a secondary VLAN. Because the primary VLAN is a part of every subdomain, secondary VLANs differentiate the VLAN subdomains.
To communicate to the Layer 3 interface, you must associate a secondary VLAN with at least one of the promiscuous ports in the primary VLAN. You can associate a secondary VLAN to more than one promiscuous port within the same PVLAN domain, for example, if needed for load balancing or redundancy. A secondary VLAN that is not associated with any promiscuous port cannot communicate with the Layer 3 interface.
A secondary VLAN can be one of the following types:
Note | While multiple community VLANs can be in a private VLAN domain, one isolated VLAN can serve multiple customers. All endpoints that are connected to its ports are isolated at Layer 2. Service providers can assign multiple customers to the same isolated VLAN and be assured that their Layer 2 traffic cannot be sniffed by other customers that share the same isolated VLAN. |
Note | Because trunks can support a VLAN that carries traffic between its ports, VLAN traffic can enter or leave the device through a trunk interface. |
The following table shows how access is permitted or denied between PVLAN port types.
Isolated | Promiscuous | Community 1 | Community 2 | Interswitch Link Port1 | |
---|---|---|---|---|---|
Isolated |
Deny |
Permit |
Deny |
Deny |
Permit |
Promiscuous |
Permit |
Permit |
Permit |
Permit |
Permit |
Community 1 |
Deny |
Permit |
Permit |
Deny |
Permit |
Community 2 |
Deny |
Permit |
Deny |
Permit |
Permit |
Interswitch Link Port |
Deny2 | Permit |
Permit |
Permit |
Permit |
PVLANs have the following configuration guidelines and limitations:
Control VLANs, packet VLANs, and management VLANs must be configured as regular VLANs and not as private VLANs.
Parameters | Default |
---|---|
PVLANs |
Disabled |
The following section guides you through the private VLAN configuration process. After completing each procedure, return to this section to make sure that you have completed all required procedures in the correct sequence.
Step 1 | Enable or disable the PVLAN feature globally. See Enabling or Disabling the Private VLAN Feature Globally. |
Step 2 | Configure a VLAN as a primary VLAN. See Configuring a VLAN as a Primary VLAN. |
Step 3 | Configure a VLAN as a secondary VLAN. See Configuring a VLAN as a Secondary VLAN. |
Step 4 | Associate the VLANs in a PVLAN. See Associating the VLANs in a PVLAN. |
Step 5 | Configure a PVLAN host port. See Configuring a Private VLAN Host Port. |
Step 6 | Associate a host port with a PVLAN. See Associating a vEthernet Port Profile with a Private VLAN. |
Step 7 | Verify a PVLAN configuration. See Verifying a Private VLAN Configuration. |
You can globally enable or disable the PVLAN feature.
This example shows how to enable or disable the PVLAN feature globally:
switch# configure terminal switch(config)# feature private-vlan switch(config-vlan)# show feature Feature Name Instance State -------------------- -------- -------- dhcp-snooping 1 enabled http-server 1 enabled ippool 1 enabled lacp 1 enabled lisp 1 enabled lisphelper 1 enabled netflow 1 disabled port-profile-roles 1 enabled private-vlan 1 enabled sshServer 1 enabled tacacs 1 enabled telnetServer 1 enabled switch(config-vlan)#
You can configure a VLAN to function as the primary VLAN in a PVLAN.
Note | If the VLAN does not already exist, you are prompted to create it when you create the primary VLAN. For information about creating a VLAN, see Creating a VLAN. |
This example shows how to configure a VLAN as a primary VLAN:
switch# configure terminal switch(config)# vlan 202 switch(config-vlan)# private-vlan primary switch(config-vlan)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- ------------------------------------------- 202 primary switch(config-vlan)#
You can configure a VLAN to function as the primary VLAN in a PVLAN.
Note | If the VLAN does not already exist, you are prompted to create it when you create the secondary VLAN. For information about creating a VLAN, see Creating a VLAN. |
This example shows how to configure a VLAN as a secondary VLAN:
switch# configure terminal switch(config)# vlan 202 switch(config-vlan)# private-vlan community switch(config-vlan)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- ------------------------------------------- 202 community switch(config-vlan)#
You can associate the primary VLANs in a PVLAN with the secondary VLANs.
This example shows how to associate VLANs in a PVLAN:
switch# configure terminal switch(config)# vlan 202 switch(config-vlan)# private-vlan association add 303 switch(config-vlan)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- ------------------------------------------- 202 303 community Veth1 n1000v(config-vlan)#
You can configure an interface as a host port to function with a PVLAN.
This example shows how to configure a PVLAN host port:
switch# configure terminal switch(config)# interface veth1 switch(config-if)# switchport mode private-vlan host switch(config-if)# show interface veth1 Vethernet1 is up Hardware is Virtual, address is 0050.56b0.34c8 Owner is VM "HAM61-RH5-32bit-ENVM-7.60.1.3" Active on module 2, host VISOR-HAM61.localdomain 0 VMware DVS port 16777215 Port-Profile is vlan631 Port mode is Private-vlan host Rx 48600 Input Packets 34419 Unicast Packets 0 Multicast Packets 14181 Broadcast Packets 4223732 Bytes Tx 34381 Output Packets 34359 Unicast Packets 22 Multicast Packets 0 Broadcast Packets 0 Flood Packets 3368196 Bytes 5 Input Packet Drops 11 Output Packet Drops switch(config-if)#
You can associate the vEthernet port profile with the primary and secondary VLANs in a PVLAN.
This example shows how to associate a vEthernet port with a PVLAN:
switch # configure terminal switch(config)# port-profile type vethernet vlan_private_isolated_127 switch(config-port-prof)# switchport mode private-vlan host switch(config-port-prof)# switchport private-vlan host-association 126 127 switch(config-port-prof)# no shut switch(config-port-prof)# vmware port-group switch(config-port-prof)# state enabled
You can configure a Layer 2 interface as a promiscuous trunk port that does the following:
Note | A promiscuous port can be either access or trunk. If you have one primary VLAN, you can use a promiscuous access port. If you have multiple primary VLANs, you can use a promiscuous trunk port. |
This example shows how to configure a Layer 2 port profile as a promiscuous trunk port:
switch # configure terminal switch(config)# port-profile type eth allaccess1 switch(config-port-prof)# switchport mode trunk switch(config-port-prof)# switchport mode private-vlan trunk promiscuous switch(config-port-prof)# switchport private-vlan trunk allowed vlan 2,126-128,150-155 switch(config-port-prof)# switchport private-vlan mapping trunk 126 127,128 switch(config-port-prof)# no shut switch(config-port-prof)# vmware port-group switch(config-port-prof)# state enabled
You can configure a port to be used as a promiscuous access port in a PVLAN.
This example shows how to configure a PVLAN promiscuous access port:
switch# configure terminal switch(config)# interface eth3/2 switch(config-if)# switchport mode private-vlan promiscuous switch(config-if)# show interface eth3/2 Ethernet3/2 is up Hardware is Ethernet, address is 0050.5655.2e85 (bia 0050.5655.2e85) MTU 1500 bytes, BW -1942729464 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA Port mode is promiscuous full-duplex, 1000 Mb/s Beacon is turned off Auto-Negotiation is turned on Input flow-control is off, output flow-control is off Rx 276842 Input Packets 100419 Unicast Packets 138567 Multicast Packets 37856 Broadcast Packets 25812138 Bytes Tx 128154 Output Packets 100586 Unicast Packets 1023 Multicast Packets 26545 Broadcast Packets 26582 Flood Packets 11630220 Bytes 173005 Input Packet Drops 37 Output Packet Drops switch(config-if)#
switch# configure terminal switch(config)# interface vethernet1 n1000v(config-if)# switchport mode private-vlan promiscuous switch(config-if)# show interface vethernet 1 Vethernet1 is up Port description is VM-1, Network Adapter 7 Hardware: Virtual, address: 0050.569e.009f (bia 0050.569e.009f) Owner is VM "VM-1", adapter is Network Adapter 7 Active on module 5 VMware DVS port 5404 Port-Profile is pri_25 Port mode is Private-vlan promiscuous 5 minute input rate 0 bits/second, 0 packets/second 5 minute output rate 7048 bits/second, 2 packets/second Rx 20276 Input Packets 379239 Unicast Packets 24 Multicast Packets 1395 Broadcast Packets 1428168 Bytes Tx 256229 Output Packets 74946 Unicast Packets 16247 Multicast Packets 2028117 Broadcast Packets 190123 Flood Packets 44432239 Bytes 162 Input Packet Drops 159 Output Packet Drops switch(config-if)#
You can associate the promiscuous access port with the primary and secondary VLANs in a PVLAN.
This example shows how to associate a promiscuous access port with a PVLAN:
switch# configure terminal switch(config)# interface eth3/2 switch(config-if)# switchport private-vlan mapping 202 303 switch(config-if)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- ------------------------------------------- 202 303 community Eth3/2, Veth1 switch(config-if)#
You can remove a PVLAN configuration and return the VLAN to normal VLAN mode.
This example shows how to remove a PVLAN configuration:
switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# no private-vlan primary switch(config-vlan)# show vlan private-vlan Primary Secondary Type Ports ------- --------- --------------- ------------------------------------------- switch(config-vlan)#
Use the following commands to verify a private VLAN configuration:
Command | Purpose |
---|---|
show feature |
Displays features available and whether they are enabled globally. |
show running-config vlan vlan-id |
Displays VLAN information. |
show vlan private-vlan [type] |
Displays information about PVLANs. |
show interface switchport |
Displays information about all interfaces configured as switchports. |
This example shows how to configure interface Ethernet 2/6 as the following:
switch# configure terminal switch(config)# vlan 303,310 switch(config-vlan)# private-vlan community switch(config)# vlan 440,450 switch(config-vlan)# private-vlan isolated switch(config)# vlan 202 switch(config-vlan)# private-vlan primary switch(config-vlan)# private-vlan association 303,440 switch(config)# vlan 210 switch(config-vlan)# private-vlan primary switch(config-vlan)# private-vlan association 310,450 switch# configure terminal switch(config)# int eth2/6 switch(config-if)# switchport mode private-vlan trunk promiscuous switch(config-if)# switchport private-vlan trunk allowed vlan all switch(config-if)# switchport private-vlan mapping trunk 202 303, 440 switch(config-if)# switchport private-vlan mapping trunk 210 310, 450 switch(config-if)# show interface switchport Name: Ethernet2/6 Switchport: Enabled Operational Mode: Private-vlan trunk promiscuous Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: 1-3967,4048-4093 Administrative private-vlan primary host-association: none Administrative private-vlan secondary host-association: none Administrative private-vlan primary mapping: none Administrative private-vlan secondary mapping: none Administrative private-vlan trunk native VLAN: 1 Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: 1-3967, 4048-4093 Administrative private-vlan trunk private VLANs: (202,303) (202,440) (210,310) (210,450) Operational private-vlan: 202,210,303,310,440,450 switch(config-if)#
This example configuration shows how to configure interface eth2/6 using port-profile, uppvlanpromtrunk156.
In this configuration, packets from secondary interfaces 153, 154, and 155 are translated into the PVLAN 156:
vlan 153-154 private-vlan community vlan 155 private-vlan isolated vlan 156 private-vlan association 153-155 private-vlan primary switch# show run int eth2/6 version 4.0(1) interface Ethernet2/6 switchport inherit port-profile uppvlanpromtrunk156 switch# show port-profile name uppvlanpromtrunk156 port-profile uppvlanpromtrunk156 description: status: enabled capability privileged: no capability uplink: yes port-group: uppvlanpromtrunk156 config attributes: switchport mode private-vlan trunk promiscuous switchport private-vlan trunk allowed vlan all switchport private-vlan mapping trunk 156 153-155 no shutdown evaluated config attributes: switchport mode trunk switchport trunk allowed vlan all switchport private-vlan mapping trunk 156 153-155 no shutdown assigned interfaces: Ethernet2/6 switch# show interface eth 2/6 switchport Name: Ethernet2/6 Switchport: Enabled Switchport Monitor: Not enabled Operational Mode: Private-vlan trunk promiscuous Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: 1-3967,4048-4093 Administrative private-vlan primary host-association: none Administrative private-vlan secondary host-association: none Administrative private-vlan primary mapping: none Administrative private-vlan secondary mapping: none Administrative private-vlan trunk native VLAN: 1 Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: 1-155,157-3967,4048-4093 Administrative private-vlan trunk private VLANs: (156,153) (156,155) Operational private-vlan: 156,153,155 inherit port-profile uppvlanpromtrunk156 switch#
Feature Name |
Feature Name |
Releases |
---|---|---|
feature private-vlan command |
4.2(1)SV1(4) |
Added the ability to globally enable the PVLAN feature. |
Private VLAN |
4.0(4)SV1(1) |
This feature was introduced. |