Private VLANs
Private VLANs (PVLANs) allow service providers to isolate customers into
separate multi-access domains. Using a VLAN for each customer is not scalable,
because a switch’s maximum VLANs would limit the number of
customers an ISP can have. Each VLAN requires a separate IP subnet, which
could also be a limiting factor.
PVLANs divide a VLAN into secondary VLANs, letting you isolate a set of
ports from other ports within the same VLAN. There are two types of
secondary VLANs:
■ Community VLANs—Ports can communicate with other ports in the
same community VLAN.
■ Isolated VLANs—Ports cannot communicate with each other.
Ports within a private VLAN can be one of three types:
■ Community—Communicates with other community ports and with
promiscuous ports.
■ Isolated—Communicates only with promiscuous ports.
■ Promiscuous—Communicates with all ports.
Table 8-3 shows the commands to configure a primary private VLAN,
secondary PVLANs, and their associated ports.
Table 8-3 Configuring Private VLANs
Command Description
vlan vlan-id Enters VLAN configuration mode.
private-vlan {community | Configures the VLAN as a private VLAN
isolated | primary} and specifies the type. Repeat this
command to configure all primary and
secondary VLANs.
vlan primary-vlan-id Enters configuration mode for the
primary VLAN.
private-vlan association Associates secondary VLANs with the
secondary_vlan_list primary one. Separate the secondary
VLAN numbers with a comma, no
spaces.
switchport mode private-vlan Configures a port as either a host port
(for {host | promiscuous} community or isolated) or a promiscious
port.
switchport private-vlan Associates a host port with its primary
host-association primary_vlan_ and secondary PVLANs.
ID secondary_vlan_ID
private-vlan mapping primary_ Associates a promiscuous port with its
vlan_ID secondary_vlan_list primary and secondary PVLANs.
show interfaces Verifies the VLAN configuration.
interface switchport
show interfaces private-vlan Verify the private VLAN configuration.
mapping