Configuring a Private VLAN in a Port Profile

This chapter describes how to create a port profile for a private VLAN (PVLAN).

This chapter includes the following sections:

Information About Private VLANs

Configuring a Port Profile as a Private VLAN

PVLAN Example Configuration

Feature History for Private VLAN Port Profiles

Information About Private VLANs

Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. PVLANs achieve device isolation by applying Layer 2 forwarding constraints that allow end devices to share the same IP subnet while being Layer 2 isolated. In turn, the use of larger subnets reduces address management overhead.

For more information about PVLAN, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide, Release 4.2(1)SV1(4)

Configuring a Port Profile as a Private VLAN

You can use this procedure to configure a port profile to be used as a private VLAN (PVLAN).

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You are logged in to the CLI in EXEC mode.

You know the VLAN IDs for both the primary and secondary VLAN in the private VLAN pair.

You know whether this private VLAN inherits its configuration.

SUMMARY STEPS

1. config t

2. port-profile [type {ethernet | vethernet}] name

3. switchport mode private-vlan {host | promiscuous}

4. switchport private-vlan host-association primary-vlan secondary-vlans

5. switchport private-vlan mapping primary_vlan [add | remove] secondary_vlans

6. show port-profile [brief | expand-interface | usage] [name profile-name]

7. copy running-config startup-config

DETAILED STEPS

 
Command
Description

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

port-profile [type {ethernet | vethernet}] name


Example:

n1000v(config)# port-profile AccessProf

n1000v(config-port-prof)#

Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics:

name—The port profile name can be up to 80 characters and must be unique for each port profile on the Cisco Nexus 1000V.

type—(Optional) The port profile type can be Ethernet or vEthernet. Once configured, the type cannot be changed. The default is the vEthernet type.

Defining a port profile type as Ethernet allows the port profile to be used for physical (Ethernet) ports. In the vCenter Server, the corresponding port group can be selected and assigned to physical ports (PNICs).

Note If a port profile is configured as an Ethernet type, then it cannot be used to configure VMware virtual ports.

Step 3 

switchport mode private-vlan {host | promiscuous}


Example:

n1000v(config-port-prof)# switchport mode private-vlan promiscuous

n1000v(config-port-prof)#

Designates the port profile for use as a private VLAN and defines the ports as follows:

promiscuous—Ports that belong to the primary VLAN and communicate with the Layer 3 gateway. Promiscuous ports can communicate with any interface in the PVLAN domain, including those associated with secondary VLANs.

host—Ports that belong to the secondary VLAN as one of the following:

Community PVLAN host port

Isolated PVLAN host port

Step 4 

switchport private-vlan host-association primary-vlan secondary-vlans


Example:

n1000v(config-port-prof)# switchport private-vlan host-association 3 300 301 302

n1000v(config-port-prof)#

Assigns the primary and secondary VLAN IDs to the port profile and saves this association in the running configuration.

primary-vlan—Specifies a primary VLAN ID. You can specify only one primary VLAN ID.

secondary-vlans—Specifies the secondary VLAN IDs. You can specify more than one secondary VLAN ID.

Step 5 

switchport private-vlan mapping primary_vlan
[add | remove] secondary_vlans


Example:

n1000v(config-port-prof)# switchport private-vlan mapping 3 add 300 301 302

n1000v(config-port-prof)#

Maps the primary VLAN ID to the secondary VLAN IDs for the port profile.

Step 6 

show port-profile [brief | expand-interface | usage] [name profile-name]


Example:

n1000v(config-port-prof)# show port-profile name AccessProf

(Optional) Displays the configuration for verification.

Step 7 

copy running-config startup-config


Example:

n1000v(config-port-prof)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

PVLAN Example Configuration

This section includes the following examples:

PVLAN Example When Upstream Switch Supports PVLAN

PVLAN Example When Upstream Switch Does Not Support PVLAN

PVLAN Example When Upstream Switch Supports PVLAN

Use the following example if the switch upstream from the Cisco Nexus 1000V, such as a Cisco Catalyst 6500, supports private VLAN. This example shows how to configure the Cisco Nexus 1000V uplink as a regular trunk port, and then how to configure the required promiscuous SVI interface on the upstream switch. 

vlan 153

  private-vlan primary

  private-vlan association 154-155

vlan 154

  private-vlan community

vlan 155

  private-vlan isolated


port-profile type vethernet pv154

  vmware port-group

  switchport mode private-vlan host

  switchport private-vlan host-association 153 154

  no shutdown

  state enabled


port-profile type vethernet pv155

  vmware port-group

  switchport mode private-vlan host

  switchport private-vlan host-association 153 155

  no shutdown

  state enabled


port-profile type ethernet datatrunk

  vmware port-group

  switchport mode trunk

  switchport trunk allowed vlan 1,153-155

  no shutdown

  state enabled

Configuration on the upstream switch: 


vlan 153

  private-vlan primary

  private-vlan association 154-155

!

vlan 154

  private-vlan community

!

vlan 155

  private-vlan isolated

!


interface Vlan153

 ip address 7.153.153.1 255.255.255.0

 private-vlan mapping 154-155

PVLAN Example When Upstream Switch Does Not Support PVLAN

Use the following example if the switch upstream from the Cisco Nexus 1000V does not support private VLAN. This example shows how to configure the Cisco Nexus 1000V uplink as a private VLAN promiscuous trunk port. No private VLAN configuration is needed on the upstream switch. 

vlan 153

  private-vlan primary

  private-vlan association 154-155

vlan 154

  private-vlan community

vlan 155

  private-vlan isolated


port-profile type vethernet pv154

  vmware port-group

  switchport mode private-vlan host

  switchport private-vlan host-association 153 154

  no shutdown

  state enabled


port-profile type vethernet pv155

  vmware port-group

  switchport mode private-vlan host

  switchport private-vlan host-association 153 155

  no shutdown

  state enabled


port-profile type ethernet pcpvtrunk

  vmware port-group

  switchport mode private-vlan trunk promiscuous

  switchport private-vlan mapping trunk 153 154-155

  switchport private-vlan trunk allowed vlan 153-155

  channel-group auto mode on

  no shutdown

  state enabled

Feature History for Private VLAN Port Profiles

This section provides the feature history for system port profiles.

Feature Name
Releases
Feature Information

Private VLAN Port Profiles

4.0(4)SV1(1)

This feature was introduced.