A Layer 2 port can function as either a trunk port, an access port, or a private VLAN port.
Beginning with Cisco NX-OS Release 5.0(2), the system supports private VLAN promiscuous trunk ports and isolated trunk ports. Private VLAN community ports cannot be trunk ports.
You must enable the private
VLAN feature before you can configure this feature.
In certain instances where similar systems do not need to interact directly, private VLANs provide additional protection at the Layer 2 level. Private VLANs are an association of primary and secondary VLANs.
A primary VLAN defines the broadcast domain with which the secondary VLANs are associated. The secondary VLANs may either be isolated VLANs or community VLANs. Hosts on isolated VLANs communicate only with associated promiscuous ports in primary VLANs, and hosts on community VLANs communicate only among themselves and with associated promiscuous ports but not with isolated ports or ports in other community VLANs.
In configurations that use integrated switching and routing functions, you can assign a single Layer 3
VLAN network interface to each private VLAN to provide routing. The VLAN network interface is created for the primary VLAN. In such configurations, all secondary VLANs communicate at Layer 3 only through a mapping with the VLAN network interface on the primary VLAN. Any VLAN network interfaces previously created on the secondary VLANs are put out-of-service.
The private VLAN feature
addresses two problems that users encounter when using VLANs:
Each VDC supports up to
4096 VLANs. If a user assigns one VLAN per customer, the number of customers
that the service provider can support is limited.
To enable IP routing, each
VLAN is assigned with a subnet address space or a block of addresses, which can
result in wasting the unused IP addresses and creating IP address management
Using private VLANs solves
the scalability problem and provides IP address management benefits and Layer 2
security for customers.
The private VLAN feature
allows you to partition the Layer 2 broadcast domain of a VLAN into subdomains.
A subdomain is represented by a pair of private VLANs: a primary VLAN and a
secondary VLAN. A private VLAN domain can have multiple private VLAN pairs, one
pair for each subdomain. All VLAN pairs in a private VLAN domain share the same
primary VLAN. The secondary VLAN ID differentiates one subdomain from another.
A private VLAN domain has
only one primary VLAN.
Secondary VLANs provide
Layer 2 isolation between ports within the same private VLAN. The following two
types are secondary VLANs within a primary VLAN:
within an isolated VLAN cannot communicate with each other at the Layer 2
within a community VLAN can communicate with each other but cannot communicate
with ports in other community VLANs or in any isolated VLANs at the Layer 2
Private VLAN Ports
Both community and isolated private VLAN ports are labeled as PVLAN host ports. A PVLAN host port is either a community PVLAN port or an isolated PVLAN port depending on the type of secondary VLAN with which it is associated.
The types of private VLAN ports are as follows:
Promiscuous port—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN. You may want to do this association for load balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port, but these secondary VLANs cannot communicate to the Layer 3 interface.
Beginning with Cisco NX-OS Release 5.0(2), the primary VLAN becomes inactive after you remove all the mapped secondary VLANs to that primary VLAN.
Promiscuous trunk—Beginning with Cisco NX-OS Release 5.0(2) and Cisco DCNM Release 5.1(1), on the Cisco Nexus 7000 Series devices, you can configure a promiscuous trunk port to carry traffic for multiple primary VLANs. You map the private VLAN primary VLAN and either all or selected associated VLANs to the promiscuous trunk port. Each primary VLAN and one associated and secondary VLAN is a private VLAN pair, and you can configure a maximum of 16 private VLAN pairs on each promiscuous trunk port.
Private VLAN promiscuous trunk ports carry traffic for normal VLANs as well as for primary private VLANs.
Isolated port—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete Layer 2 isolation from other ports within the same
private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN, and each port is completely isolated from all other ports in the isolated VLAN.
Isolated or secondary trunk—Beginning with Cisco NX-OS Release 5.0(2) and Cisco DCNM Release 5.1(1) on the Cisco Nexus 7000 Series devices, you can configure an isolated trunk port to carry traffic for multiple isolated VLANs. Each secondary VLAN on an isolated trunk port must be associated with a different primary VLAN. You cannot put two secondary VLANs that are associated with the same primary VLAN on an isolated trunk port. Each primary VLAN and one associated secondary VLAN is a private VLAN pair, and you can configure a maximum of 16 private VLAN pairs on each isolated trunk port.
Private VLAN isolated trunk ports carry traffic for normal VLANs as well as for secondary private VLANs.
Community port—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from all isolated ports within the
private VLAN domain.
Because trunks can support the VLANs that carry traffic between promiscuous, isolated, and community ports, the isolated and community port traffic might enter or leave the device through a trunk interface.
Primary, Isolated, and Community Private
Because the primary VLAN has
the Layer 3 gateway, you associate secondary VLANs with the primary VLAN in
order to communicate outside the private VLAN. Primary VLANs and the two types
of secondary VLANs, isolated VLANs and community VLANs, have these
Primary VLAN— The primary
VLAN carries traffic from the promiscuous ports to the (isolated and community)
host ports and to other promiscuous ports.
Isolated VLAN —An
isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream
from the hosts toward the promiscuous ports and the Layer 3 gateway. You can
configure multiple isolated VLANs in a private VLAN domain, and all the traffic
remains isolated within each one. In addition, each isolated VLAN can have
several isolated ports, and the traffic from each isolated port also remains
community VLAN is a secondary VLAN that carries upstream traffic from the
community ports to the promiscuous port gateways and to other host ports in the
same community. You can configure multiple community VLANs in a private VLAN
domain. The ports within one community can communicate, but these ports cannot
communicate with ports in any other community or isolated VLAN in the private
図 1. Private VLAN Layer 2 Traffic
This figure shows the Layer 2 traffic flows within a primary, or
private VLAN, along with the types of VLANs and types of ports.
The private VLAN traffic
flows are unidirectional from the host ports to the promiscuous ports. Traffic
that egresses the promiscuous port acts like the traffic in a normal VLAN, and
there is no traffic separation among the associated secondary VLAN.
A promiscuous port can serve
only one primary VLAN, but it can serve multiple isolated VLANs and multiple
community VLANs. (Layer 3 gateways are connected to the device
through a promiscuous port.) With a promiscuous port, you can connect a wide
range of devices as access points to a private VLAN. For example, you can use a
promiscuous port to monitor or back up all the private VLAN servers from an
Beginning with Cisco NX-OS Release 5.0(2) for the Nexus 7000 Series devices, you can configure private VLAN promiscuous and isolated trunk ports. These promiscuous and isolated trunk ports carry traffic for multiple primary and secondary VLANs as well as normal VLAN.
Although you can have several
promiscuous ports in a primary VLAN, you can have only one Layer 3 gateway per
In a switched environment, you
can assign an individual private VLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to
communicate only with a default gateway to communicate outside the private
You must enable the VLAN
interface feature before you can configure the Layer 3 gateway. See the
『Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 6.x』
for complete information on VLAN network interfaces and IP
Broadcast traffic from ports in a private VLAN flows in the following ways:
The broadcast traffic flows from all promiscuous ports to all ports in the primary VLAN. This broadcast traffic is distributed to all ports within the primary VLAN, including those ports that are not configured with private VLAN parameters.
The broadcast traffic from all isolated ports is distributed only to those promiscuous ports in the primary VLAN that are associated to that isolated port.
The broadcast traffic from community ports is distributed to all ports within the port’s community and to all promiscuous ports that are associated to the community port. The broadcast packets are not distributed to any other communities within the primary VLAN or to any isolated ports.
Private VLAN Port Isolation
You can use private VLANs to control access to end stations as follows:
Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.
Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.
Private VLANs and VLAN Interfaces
A VLAN interface to a Layer 2 VLAN is also called a switched virtual interface (SVI). Layer 3 devices
communicate with a private VLAN only through the primary VLAN and not through secondary VLANs.
Configure VLAN network interfaces only for primary VLANs. Do not configure VLAN interfaces for secondary VLANs. VLAN network interfaces for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN. You will see the following actions if you misconfigure the VLAN interfaces:
If you try to configure a VLAN with an active VLAN network interface as a secondary VLAN, the configuration is not allowed until you disable the VLAN interface.
If you try to create and enable a VLAN network interface on a VLAN that is configured as a
secondary VLAN, that VLAN interface remains disabled and the system returns an error.
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLANs. For example, if you assign an IP subnet to the VLAN network interface on the primary VLAN, this subnet is the IP subnet address of the entire private VLAN.
You must enable the VLAN interface feature before you configure VLAN interfaces. See the 『Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 6.x』
, for information on VLAN interfaces and IP addressing.
Private VLANs Across Multiple Devices
You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other uses of the VLANs configured to be private VLANs, configure private VLANs on all intermediate devices, including devices that have no private VLAN ports.
High Availability for Private VLANs
The software supports high availability for both stateful and stateless restarts, as during a cold reboot, for private VLANs. For the stateful restarts, the software supports a maximum of three retries. If you try more than 3 times within 10 seconds of a restart, the software reloads the supervisor module.
You can upgrade or downgrade the software seamlessly, with respect to private VLANs.
Beginning with Cisco NX-OS Release 5.0(2), if you configure private VLAN promiscuous or isolated trunk ports, you must unconfigure those ports in order to downgrade the software.
See the 『Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide』, for complete information on high-availability features.
Virtualization Support for Private
The software supports virtual
device contexts (VDCs).
『Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide』
, for complete information on VDCs and assigning
Each VLAN must have all of
its private VLAN ports for both the primary VLAN and all secondary VLANs in the
same VDC. Private VLANs cannot cross VDCs.
Licensing Requirements for Private VLANs
The following table shows the licensing requirements for this feature:
Private VLANs require no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the 『Cisco NX-OS Licensing Guide』.
However, using VDCs requires an Advanced Services license.
Prerequisites for Private VLANs
Private VLANs have the following prerequisites:
You must be logged onto the device.
If necessary, install the Advanced Services license and enter the desired VDC.
You must enable the private VLAN feature.
Guidelines and Limitations for Configuring Private VLANs
Private VLANs have the following configuration guidelines and limitations:
You must enable private VLANs before the device can apply the private VLAN functionality.
You must enable the VLAN interface feature before the device can apply this functionality.
Shut down the VLAN network interface for all VLANs that you plan to configure as secondary VLANs before you configure these VLANs.
You cannot configure a shared interface to be part of a private VLAN. For more details, see the 『Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 6.x』.
Follow these guidelines when
configuring secondary or primary VLANs in private VLANs:
You cannot configure the
default VLAN (VLAN1) or any of the internally allocated VLANs as primary or
You must use VLAN
configuration (config-vlan) mode to configure private VLANs.
A primary VLAN can have
multiple isolated and community VLANs associated with it. An isolated or
community VLAN can be associated with only one primary VLAN.
Although private VLANs
provide host isolation at Layer 2, hosts can communicate with each other at
When a secondary VLAN is
associated with the primary VLAN, the STP parameters of the primary VLAN, such
as bridge priorities, are propagated to the secondary VLAN. However, STP
parameters do not necessarily propagate to other devices. You should manually
check the STP configuration to ensure that the spanning tree topologies for the
primary, isolated, and community VLANs match exactly so that the VLANs can
properly share the same forwarding database.
For normal trunk ports,
note the following:
There is a separate
instance of STP for each VLAN in the private VLAN.
STP parameters for the
primary and all secondary VLANs must match.
The primary and all
associated secondary VLANs should be in the same MST instance.
For nontrunking ports,
note the following:
STP is aware only of
the primary VLAN for any private VLAN host port; STP does not run on secondary
VLANs on a host port.
We recommend that you
enable BPDU Guard on all ports that you configure as a host port; do not enable
this feature on promiscuous ports.
For private VLAN promiscuous trunk ports, note the following:
You can configure a maximum of 16 private VLAN primary and secondary VLAN pairs on each promiscuous trunk port.
The native VLAN must be either a normal VLAN or a private VLAN primary VLAN. You cannot configure a private VLAN secondary VLAN as the native VLAN for a private VLAN promiscuous trunk port.
To downgrade a system that has private VLAN promiscuous trunk ports configured, you must unconfigure these ports.
For private VLAN isolated trunk ports, note the following:
You can configure a maximum of 16 private VLAN primary and secondary VLAN pairs on each isolated trunk port.
The native VLAN must be either a normal VLAN or a private VLAN secondary VLAN. You cannot configure a private VLAN primary port as the native VLAN for a private VLAN isolated trunk port.
To downgrade a system that has private VLAN isolated trunk ports configured, you must unconfigure these ports.
You can apply different
Quality of Service (QoS) configurations to primary, isolated, and community
To apply a VACL to all
private VLAN traffic, map the secondary VLANs on the VLAN network interface of
the primary VLAN, and then configure the VACLs on the VLAN network interface of
the primary VLAN.
The VACLs that you apply
to the VLAN network interface of a primary VLAN automatically apply to the
associated isolated and community VLANs only after you have configured the
If you do not map the
secondary VLAN to the VLAN network interface of the primary VLAN, you can have
different VACLs for primary and secondary VLANs, which can cause problems.
Because traffic in a
private VLAN flows in different directions in different VLANs, you can have
different VACLs for ingressing traffic and different VACLs for egressing
traffic prior to configuring the mapping.
You must keep the same VACLs
for the primary VLAN and all secondary VLANs in the private VLAN.
You can enable DHCP
snooping on private VLANs. When you enable DHCP snooping on the primary VLAN,
the DHCP configuration is propagated to the secondary VLANs. If you configure
DHCP on a secondary VLAN, the configuration does not take effect if the primary
VLAN is already configured.
Before you configure a
VLAN as a secondary VLAN, you must shut down the VLAN network interface for the
To prevent interhost
communication in isolated private VLANs with a promiscuous port, configure a
role-based ACL (RBACL) that disallows hosts in that subnet from communicating
with each other.
Private VLAN Port Configuration
Follow these guidelines when configuring private VLAN ports:
Use only the private VLAN configuration commands to assign ports to primary, isolated, or community VLANs.
The Layer 2 access ports that are assigned to the VLANs that you configure as primary, isolated, or community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2 trunk interfaces, which may carry private VLANs, are active and remain part of the STP database.
Do not configure ports that belong to a port-channel group as private VLAN ports. While a port is part of the private VLAN configuration, any port-channel configuration for it is inactive.
If you delete a VLAN used in the private VLAN configuration, the private VLAN ports that are associated with the VLAN become inactive.
Limitations with Other Features
Consider these configuration
limitations with other features when configuring private VLANs:
In some cases, the
configuration is accepted with no error messages, but the commands have no
IGMP runs only on the
primary VLAN and uses the configuration of the primary VLAN for all secondary
Any IGMP join request in
the secondary VLAN is treated as if it is received in the primary VLAN.
Private VLANs support
these Switched Port Analyzer (SPAN) features:
You can configure a
private VLAN port as a SPAN source port.
You can use VLAN-based
SPAN (VSPAN) on primary, isolated, and community VLANs or use SPAN on only one
VLAN to separately monitor egress or ingress traffic.
Private VLAN host or
promiscuous ports cannot be a SPAN destination port.
A destination SPAN port
cannot be an isolated port. (However, a source SPAN port can be an isolated
You can configure SPAN to
span both primary and secondary VLANs or to span either one if the user is
interested only in ingress or egress traffic.
After you configure the
association between the primary and secondary VLANs, the dynamic MAC addresses that
learned the secondary VLANs are flushed.
After you configure the
association between the primary and secondary VLANs, all static MAC addresses
that were created on the secondary VLANs are inserted into the primary VLAN. If
you delete the association, the static MAC addresses revert to the secondary
After you configure the
association between the primary and secondary VLANs, you cannot create static
MAC addresses for the secondary VLANs.
After you configure the
association between the primary and secondary VLANs, if you delete the
association, all static MAC addresses that were created on the primary VLANs
remain on the primary VLAN only.
Port security features are
not supported with private VLANs.
In private VLANs, STP controls only the primary VLAN.
『Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x』
for information on configuring static MAC addresses.
プライベート VLAN のデフォルト設定
次の表に、プライベート VLAN のデフォルト設定を示します。
表 1 プライベート VLAN のデフォルト設定
Configuring a Private VLAN
You must have already created the
VLAN before you can assign the specified VLAN as a private VLAN.
『Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide, Release 6.x』,
for information on assigning IP addresses to VLAN interfaces.
If you are familiar with the
Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might
differ from the Cisco IOS commands that you would use.