The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure the association between a primary VLAN and a secondary VLAN on a private VLAN, use the private-vlan association command. To remove the association, use the no form of this command.
private-vlan association { [add] secondary-vlan-list | remove secondary-vlan-list }
no private-vlan association
add |
(Optional) Associates a secondary VLAN to a primary VLAN. |
secondary-vlan-list |
VLAN ID of the secondary VLAN. |
remove |
Clears the association between a secondary VLAN and a primary VLAN. |
None
VLAN configuration submode
Supported User Roles
network-admin
vdc-admin
Release |
Modification |
---|---|
4.0 |
This command was introduced. |
You must enable private VLANs by using the feature private-vlan command before you can configure private VLANs. The commands for configuring private VLANs are not visible until you enable private VLANs.
Note | Before you configure a VLAN as a secondary VLAN, either community or isolated, you must shut down the VLAN interface, or switched virtual interface (SVI), for that VLAN. |
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive. When you enter the no private-vlan command, the VLAN returns to the normal VLAN mode. All primary and secondary associations on that VLAN are suspended, but the interfaces remain in private VLAN mode. However, when you reconvert the specified VLAN to private VLAN mode, the original associations are reinstated.
If you enter the no vlan command for the primary VLAN, all private VLAN associations with that VLAN are lost. However, if you enter the no vlan command for a secondary VLAN, the private VLAN associations with that VLAN are suspended and return when you recreate the specified VLAN and configure it as the previous secondary VLAN.
The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs. The secondary-vlan-list parameter can contain multiple secondary VLAN IDs.
A private VLAN is a set of private ports that are characterized by using a common set of VLAN number pairs. Each pair is made up of at least two special unidirectional VLANs and is used by isolated ports and/or by a community of ports to communicate with routers.
Multiple community and isolated VLANs are allowed. If you enter a range of primary VLANs, the system uses the first number in the range for the association.
Isolated and community VLANs can only be associated with one primary VLAN. You cannot configure a VLAN that is already associated to a primary VLAN as a primary VLAN.
This command does not require a license.
This example shows how to create a private VLAN relationship between the primary VLAN 14, the isolated VLAN 19, and the community VLANs 20 and 21:
switch(config)# vlan 19 switch(config-vlan)# private-vlan isolated switch(config)# vlan 20 switch(config-vlan)# private-vlan community switch(config)# vlan 21 switch(config-vlan)# private-vlan community switch(config)# vlan 14 switch(config-vlan)# private-vlan primary switch(config-vlan)# private-vlan association 19-21
This example shows how to remove isolated VLAN 18 and community VLAN 20 from the private VLAN association:
switch(config)# vlan 14 switch(config-vlan)# private-vlan association remove 18,20 switch(config-vlan)#
Command |
Description |
---|---|
show vlan |
Displays information about VLANs. |
show vlan private-vlan |
Displays information about private VLANs. |
To create a mapping between the primary and the secondary VLANs so that both VLANs share the same Layer 3 VLAN interface, or switched virtual interface (SVI), use the private-vlan mapping command under the SVI. To remove all private VLAN mappings from the Layer 3 VLAN interface, use the no form of this command.
private-vlan mapping { [add] secondary-vlan-list | remove secondary-vlan-list }
no private-vlan mapping
add |
(Optional) Maps the secondary VLAN to the primary VLAN. |
secondary-vlan-list |
VLAN ID of the secondary VLANs to map to the primary VLAN. |
remove |
Removes the mapping between the secondary VLAN and the primary VLAN. |
None
Interface configuration
Supported User Roles
network-admin
vdc-admin
Release |
Modification |
---|---|
4.0 |
This command was introduced. |
You must enable private VLANs by using the feature private-vlan command before you can configure private VLANs. The commands for configuring private VLANs are not visible until you enable private VLANs.
The private-vlan mapping command is valid in the interface configuration mode of the primary VLAN.
The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs.
Note | You must enable VLAN interfaces, or SVIs, before you can configure the SVI. Use the feature interface-vlan command to enable VLAN interfaces. See the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 6.x, for information on creating and configuring VLAN interfaces. |
Traffic that is received on the secondary VLAN is routed by the SVI of the primary VLAN.
When you configure VLANs as secondary private VLANs, the SVIs of those existing VLANs do not function and are considered as down after you enter this command.
You can map a secondary VLAN to only one primary SVI. If you configure the primary VLAN as a secondary VLAN, all the mappings that are specified in this command are suspended.
You must first associate all secondary VLANs with the primary VLAN using the private-vlan command. If you configure a mapping between two VLANs that do not have a valid Layer 2 association, the mapping configuration does not take effect.
See the private-vlan command for more information about primary and secondary VLANs.
This command does not require a license.
This example shows how to map the interface of VLAN 20 to the Layer 3 VLAN interface, or SVI, of VLAN 18:
switch(config)# interface vlan 18 switch(config-if)# private-vlan mapping 20 switch(config-if)#
This example shows how to permit routing of secondary VLAN-ingress traffic from private VLANs 303 through 307, 309, and 440:
switch# configure terminal switch(config)# interface vlan 202 switch(config-if)# private-vlan mapping add 303-307,309,440 switch(config-if)# end
This example shows how to remove all private VLAN mappings from the SVI of VLAN 19:
switch(config)# interface vlan 19 switch(config-if)# no private-vlan mapping switch(config-if)#
Command |
Description |
---|---|
show interface private-vlan mapping |
Displays information on the secondary private VLAN mapping to VLAN interface. |
To map the secondary VLANs to the same Multiple Spanning Tree (MST) instance as the primary VLAN, use the private-vlan synchronize command.
private-vlan synchronize
This command has no arguments or keywords.
This command has no default settings.
MST configuration submode
Supported User Roles
network-admin
vdc-admin
Release |
Modification |
---|---|
4.0 |
This command was introduced. |
If you do not map secondary VLANs to the same MST instance as the associated primary VLAN when you exit the MST configuration submode, the device displays a warning message that lists the secondary VLANs that are not mapped to the same instance as the associated VLAN. The private-vlan synchronize command automatically maps all secondary VLANs to the same instance as the associated primary VLANs.
This command does not require a license.
This example assumes that a primary VLAN 2 and a secondary VLAN 3 are associated to VLAN 2, and that all VLANs are mapped to the CIST instance 1. This example also shows the output if you try to change the mapping for the primary VLAN 2 only:
switch(config)# spanning-tree mst configuration switch(config-mst)# instance 1 vlan 2 switch(config-mst)# exit These secondary vlans are not mapped to the same instance as their primary: -> 3
This example shows how to initialize PVLAN synchronization:
switch(config-mst)# private-vlan synchronize switch(config-mst)#
Command |
Description |
---|---|
show spanning-tree mst configuration |
Displays information about the MST protocol. |
spanning-tree mst configuration |
Enters MST configuration submode. |
To configure private VLANs, use the private-vlan command. To return the specified VLAN(s) to normal VLAN mode, use the no form of this command.
private-vlan { isolated | community | primary }
no private-vlan association
isolated |
Designates the VLAN as an isolated secondary VLAN. |
community |
Designates the VLAN as a community secondary VLAN. |
primary |
Designates the VLAN as the primary VLAN. |
association |
Specifies to delete all associations from the primary VLAN. |
None
VLAN configuration submode
Supported User Roles
network-admin
vdc-admin
Release |
Modification |
---|---|
4.0 |
This command was introduced. |
You must enable private VLANs by using the feature private-vlan command before you can configure private VLANs. The commands for configuring private VLANs are not visible until you enable private VLANs.
Note | Before you configure a VLAN as a secondary VLAN, either community or isolated, you must shut down the VLAN interface, or switched virtual interface (SVI), for that VLAN. |
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive. When you enter the no private-vlan command, the VLAN returns to the normal VLAN mode. All primary and secondary associations on that VLAN are suspended, but the interfaces remain in private VLAN mode. However, when you reconvert the specified VLAN to private VLAN mode, the original associations are reinstated.
If you enter the no vlan command for the primary VLAN, all private VLAN associations with that VLAN are lost. However, if you enter the no vlan command for a secondary VLAN, the private VLAN associations with that VLAN are suspended and return when you recreate the specified VLAN and configure it as the previous secondary VLAN.
You cannot configure VLAN1 or the internally allocated VLANs as private VLANs.
A private VLAN is a set of private ports that are characterized by using a common set of VLAN number pairs. Each pair is made up of at least two special unidirectional VLANs and is used by isolated ports and/or by a community of ports to communicate with routers.
An isolated VLAN is a VLAN that is used by isolated ports to communicate with promiscuous ports. An isolated VLAN’s traffic is blocked on all other private ports in the same VLAN. Its traffic can only be received by standard trunking ports and promiscuous ports that are assigned to the corresponding primary VLAN.
A promiscuous port is defined as a private port that is assigned to a primary VLAN.
A community VLAN is defined as the VLAN that carries the traffic among community ports and from community ports to the promiscuous ports on the corresponding primary VLAN.
A primary VLAN is defined as the VLAN that is used to convey the traffic from the routers to customer end stations on private ports.
Multiple community and isolated VLANs are allowed. If you enter a range of primary VLANs, the system uses the first number in the range for the association.
This command does not require a license.
This example shows how to remove a private VLAN relationship from the primary VLAN. The associated secondary VLANs are not deleted.
switch(config-vlan)# no private-vlan association switch(config-vlan)#
Command |
Description |
---|---|
show vlan |
Displays information about VLANs. |
show vlan private-vlan |
Displays information about private VLANs. |