Private VLAN Configuration
A private VLANs (PVLAN) splits a primary VLAN domain into multiple isolated broadcast sub-domains. PVLAN, also known as port isolation, is a technique where a VLAN contains switch ports that are restricted such that they can only communicate with a given uplink.
Topology
PVLAN configuration
Configure PVLAN Trunk and Promiscuous Trunk Port
SW1
SW1#configure terminal | Enter configuration mode |
SW1(config)#bridge 1 protocol ieee vlan- bridge | Create bridge |
SW1(config)#vlan database | Enter VLAN configuration mode |
SW1(config-vlan)#vlan 10 bridge 1 state enable | Create VLAN 10 |
SW1(config-vlan)#vlan 20 bridge 1 state enable | Create VLAN 20 |
SW1(config-vlan)#vlan 100 bridge 1 state enable | Create VLAN 100 |
SW1(config-vlan)#private-vlan 10 isolated bridge 1 | Configure VLAN 10 as isolated VLAN |
SW1(config-vlan)#private-vlan 20 community bridge 1 | Configure VLAN 20 as community VLAN |
SW1(config-vlan)#private-vlan 100 primary bridge 1 | Configure VLAN 100 as primary VLAN |
SW1(config-vlan)#private-vlan 100 association add 10 bridge 1 | Associate secondary isolated VLAN 10 with primary VLAN 100 |
SW1(config-vlan)#private-vlan 100association add 20 bridge 1 | Associate secondary community VLAN 20 with primary VLAN 100 |
SW1(config-vlan)#exit | Exit VLAN configuration mode |
SW1(config)#interface xe1 | Enter interface configuration mode for xe1 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
SW1(config-if)#switchport trunk allowed vlan add 10,20,100 | Configure VLAN 10,20,100 (primary, secondary VLANs) |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe3 | Enter interface configuration mode for xe3 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
SW1(config-if)#switchport mode private-vlan promiscuous | Configure the interface as promiscuous port for private-vlan |
SW1(config-if)#switchport trunk allowed vlan add 100 | Configure VLAN 100 (primary VLAN) |
SW1(config-if)#switchport private-vlan mapping 100 add 10 | Associate port with primary and secondary VLAN of private- vlan |
SW1(config-if)#switchport private-vlan mapping 100 add 20 | Associate port with primary and secondary VLAN of private- vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe4 | Enter interface configuration mode for xe4 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW1(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW1(config-if)#switchport access vlan 20 | Configure VLAN 20 (community VLAN) |
SW1(config-if)#switchport private-vlan host- association 100 add 20 | Associate port with primary and secondary VLAN of private- vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe2 | Enter interface configuration mode for xe2 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW1(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW1(config-if)#switchport access vlan 10 | Configure VLAN 10 (isolated VLAN) |
SW1(config-if)#switchport private-vlan host- association 100 add 10 | Associate port with primary and secondary VLAN of private- vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#commit | Commit the configure on the node. |
SW1(config)#exit | Exit configuration mode |
SW2
SW2#configure terminal | Enter configuration mode |
SW2(config)#bridge 1 protocol ieee vlan- bridge | Create bridge |
SW2(config)#vlan database | Enter VLAN configuration mode |
SW2(config-vlan)#vlan 10 bridge 1 state enable | Create VLAN 10 |
SW2(config-vlan)#vlan 20 bridge 1 state enable | Create VLAN 20 |
SW2(config-vlan)#vlan 100 bridge 1 state enable | Create VLAN 100 |
SW2(config-vlan)#private-vlan 10 isolated bridge 1 | Configure VLAN 10 as isolated VLAN |
SW2(config-vlan)#private-vlan 20 community bridge 1 | Configure VLAN 20 as community VLAN |
SW2(config-vlan)#private-vlan 100 primary bridge 1 | Configure VLAN 100 as primary VLAN |
SW1(config-vlan)#private-vlan 100 association add 10 bridge 1 | Associate secondary isolated VLAN 10 with primary VLAN 100 |
SW1(config-vlan)#private-vlan 100 association add 20 bridge 1 | Associate secondary community VLAN 20 with primary VLAN 100 |
SW2(config-vlan)#exit | Exit VLAN configuration mode |
SW2(config)#interface xe1 | Enter interface configuration mode for xe1 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
SW2(config-if)#switchport trunk allowed vlan add 10,20,100 | Configure VLAN 10,20,100 (primary, secondary VLANs) |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#interface xe2 | Enter interface configuration mode for xe2 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW2(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW2(config-if)#switchport access vlan 10 | Configure VLAN 10 (isolated VLAN) |
SW2(config-if)#switchport private-vlan host- association 100 add 10 | Associate port with primary and secondary VLAN of private- vlan |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#interface xe3 | Enter interface configuration mode for xe3 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW2(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW2(config-if)#switchport access vlan 20 | Configure VLAN 20 (community VLAN) |
SW2(config-if)#switchport private-vlan host- association 100 add 20 | Associate port with primary and secondary VLAN of private- vlan |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#commit | Commit the configure on the node. |
SW2(config)#exit | Exit configuration mode |
Validation
SW1#show vlan private-vlan bridge 1
PRIMARY SECONDARY TYPE INTERFACES
------- --------- ---------- ----------
100 10 isolated xe1,xe2,
100 20 community xe1,xe4,
SW1#
SW2#show vlan private-vlan bridge 1
PRIMARY SECONDARY TYPE INTERFACES
------- --------- ---------- ----------
100 10 isolated xe1,xe2,
100 20 community xe1,xe3,
SW2#
Configure PVLAN Trunk and Promiscuous Access Port
SW1
SW1#configure terminal | Enter configuration mode |
SW1(config)#bridge 1 protocol ieee vlan-bridge | Create bridge |
SW1(config)#vlan database | Enter VLAN configuration mode |
SW1(config-vlan)#vlan 10 bridge 1 state enable | Create VLAN 10 |
SW1(config-vlan)#vlan 20 bridge 1 state enable | Create VLAN 20 |
SW1(config-vlan)#vlan 100 bridge 1 state enable | Create VLAN 100 |
SW1(config-vlan)#private-vlan 10 isolated bridge 1 | Configure VLAN 10 as isolated VLAN |
SW1(config-vlan)#private-vlan 20 community bridge 1 | Configure VLAN 20 as community VLAN |
SW1(config-vlan)#private-vlan 100 primary bridge 1 | Configure VLAN 100 as primary VLAN |
SW1(config-vlan)#private-vlan 100 association add 10 bridge 1 | Associate secondary isolated VLAN 10 with primary VLAN 100 |
SW1(config-vlan)#private-vlan 100 association add 20 bridge 1 | Associate secondary community VLAN 20 with primary VLAN 100 |
SW1(config-vlan)#exit | Exit VLAN configuration mode |
SW1(config)#interface xe1 | Enter interface configuration mode for xe1 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
SW1(config-if)#switchport trunk allowed vlan add 10,20,100 | Configure VLAN 10,20,100 (primary, secondary VLANs) |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe3 | Enter interface configuration mode for xe3 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW1(config-if)#switchport mode private-vlan promiscuous | Configure the interface as promiscuous port for private-vlan |
SW1(config-if)#switchport access vlan 100 | Configure VLAN 100 (primary VLAN) |
SW1(config-if)#switchport private-vlan mapping 100 add 10 | Associate port with primary and secondary VLAN of private-vlan |
SW1(config-if)#switchport private-vlan mapping 100 add 20 | Associate port with primary and secondary VLAN of private-vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe4 | Enter interface configuration mode for xe4 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW1(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW1(config-if)#switchport access vlan 20 | Configure VLAN 20 (community VLAN) |
SW1(config-if)#switchport private-vlan host-association 100 add 20 | Associate port with primary and secondary VLAN of private-vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#interface xe2 | Enter interface configuration mode for xe2 |
SW1(config-if)#switchport | Configure switchport |
SW1(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW1(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW1(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW1(config-if)#switchport access vlan 10 | Configure VLAN 10 (isolated VLAN) |
SW1(config-if)#switchport private-vlan host-association 100 add 10 | Associate port with primary and secondary VLAN of private-vlan |
SW1(config-if)#exit | Exit interface mode |
SW1(config)#commit | Commit the configure on the node. |
SW1(config)#exit | Exit configuration mode |
SW2
SW2#configure terminal | Enter configuration mode |
SW2(config)#bridge 1 protocol ieee vlan-bridge | Create bridge |
SW2(config)#vlan database | Enter VLAN configuration mode |
SW2(config-vlan)#vlan 10 bridge 1 state enable | Create VLAN 10 |
SW2(config-vlan)#vlan 20 bridge 1 state enable | Create VLAN 20 |
SW2(config-vlan)#vlan 100 bridge 1 state enable | Create VLAN 100 |
SW2(config-vlan)#private-vlan 10 isolated bridge 1 | Configure VLAN 10 as isolated VLAN |
SW2(config-vlan)#private-vlan 20 community bridge 1 | Configure VLAN 20 as community VLAN |
SW2(config-vlan)#private-vlan 100 primary bridge 1 | Configure VLAN 100 as primary VLAN |
SW1(config-vlan)#private-vlan 100 association add 10 bridge 1 | Associate secondary isolated VLAN 10 with primary VLAN 100 |
SW1(config-vlan)#private-vlan 100 association add 20 bridge 1 | Associate secondary community VLAN 20 with primary VLAN 100 |
SW2(config-vlan)#exit | Exit VLAN configuration mode |
SW2(config)#interface xe1 | Enter interface configuration mode for xe1 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
SW2(config-if)#switchport trunk allowed vlan add 10,20,100 | Configure VLAN 10,20,100 (primary, secondary VLANs) |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#interface xe2 | Enter interface configuration mode for xe2 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW2(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW2(config-if)#switchport access vlan 10 | Configure VLAN 10 (isolated VLAN) |
SW2(config-if)#switchport private-vlan host-association 100 add 10 | Associate port with primary and secondary VLAN of private-vlan |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#interface xe3 | Enter interface configuration mode for xe3 |
SW2(config-if)#switchport | Configure switchport |
SW2(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
SW2(config-if)#switchport mode access | Set the switching characteristics of this interface as access |
SW2(config-if)#switchport mode private-vlan host | Configure the interface as host port for private-vlan |
SW2(config-if)#switchport access vlan 20 | Configure VLAN 20 (community VLAN) |
SW2(config-if)#switchport private-vlan host-association 100 add 20 | Associate port with primary and secondary VLAN of private-vlan |
SW2(config-if)#exit | Exit interface mode |
SW2(config)#commit | Commit the configure on the node. |
SW2(config)#exit | Exit configuration mode |
Validation
SW1#show vlan private-vlan bridge 1
PRIMARY SECONDARY TYPE INTERFACES
------- --------- ---------- ----------
100 10 isolated xe1,xe2,
100 20 community xe1,xe4,
SW1#
SW2#show vlan private-vlan bridge 1
PRIMARY SECONDARY TYPE INTERFACES
------- --------- ---------- ----------
100 10 isolated xe1,xe2,
100 20 community xe1,xe3,
SW2#
Traffic Validation
Configure Host trunk and promiscuous trunk configurations on SW1 and SW2
1)Send vlan 100 tagged traffic from Sw1 xe3(Promiscuous port), traffic should forward to xe1,xe2,xe4 interfaces. On Sw2 traffic should receive from xe1 and forward through xe2 and xe3
SW1#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 0.00 0 86.49 84462
xe2 0.00 0 86.49 84462
xe3 86.49 84462 0.00 0
xe4 0.00 0 86.49 84462
SW2#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 86.49 84462 0.00 0
xe2 0.00 0 86.49 84462
xe3 0.00 0 86.49 84462
2)Send vlan 10 tagged traffic from SW1 xe2(isolated port),traffic should forward to xe3,xe1. On SW2 traffic should receive xe1 and remaining ports should be 0
SW1#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 0.00 0 86.49 84462
xe2 86.49 84462 0.00 0
xe3 0.00 0 86.49 84462
xe4 0.00 0 0.00 0
SW2#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 86.49 84462 0.00 0
xe2 0.00 0 0.00 0
xe3 0.00 0 0.00 0
3)send vlan 40 tagged traffic from SW1 xe4(community port) traffic should forward through xe3,xe1,On SW2 traffic should receive from xe1 and forward to xe3
SW1#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 0.00 0 86.49 84462
xe2 0.00 0 0.00 0
xe3 0.00 0 86.49 84462
xe4 86.49 84462 0.00 0
SW2#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
xe1 86.49 84462 0.00 0
xe2 0.00 0 0.00 0
xe3 0.00 0 86.49 84462