- Overview
- Tools
- Installation
- Licenses
- High Availability
- VSM and VEM Modules
- Ports
- Port Profiles
- Port Channels and Trunking
- Layer 2 Switching
- VLAN
- Private VLAN
- NetFlow
- ACL
- Quality of Service
- SPAN
- Multicast IGMP
- DHCP, DAI, and IPSG
- System
- Network Segmentation Manager
- Ethanalyzer
- Before Contacting Technical Support
Private VLANs
This chapter describes how to identify and resolve problems related to private VLANs.
Information About Private VLANs
Private VLANs (PVLANs) are used to segregate Layer 2 Internet service provider (ISP) traffic and convey it to a single router interface. PVLANs achieve device isolation by applying Layer 2 forwarding constraints that allow end devices to share the same IP subnet while being isolated at Layer 2. In turn, the use of larger subnets reduces address management overhead. Three separate port designations are used. Each has its own unique set of rules that regulate each connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain.
Private VLAN Domain
A private VLAN domain consists of one or more pairs of VLANs. The primary VLAN makes up the domain; each VLAN pair makes up a subdomain. The VLANs in a pair are called the primary VLAN and the secondary VLAN. All VLAN pairs within a private VLAN have the same primary VLAN. The secondary VLAN ID is what differentiates one subdomain from another.
Spanning Multiple Switches
Private VLANs can span multiple switches, just like regular VLANs. Inter-switch link ports do not need to be aware of the special VLAN type and can carry frames tagged with these VLANs just as they do with any other frames. Private VLANs ensure that traffic from an isolated port in one switch does not reach another isolated or community port in a different switch even after traversing an inter-switch link. By embedding the isolation information at the VLAN level and by transporting it with the packet, it is possible to maintain consistent behavior throughout the network. Therefore, the mechanism that restricts Layer 2 communication between two isolated ports in the same switch also restricts Layer 2 communication between two isolated ports in two different switches.
Private VLAN Ports
Within a private VLAN domain, there are three separate port designations. Each port designation has its own unique set of rules that regulate the ability of one endpoint to communicate with other connected endpoints within the same private VLAN domain. The following are the three port designations:
For additional information about private VLANs, see the Cisco Nexus 1000V for Microsoft Hyper-V Layer 2 Switching Configuration Guide, Release 5.2(1)SM1(5.1) .
Troubleshooting Guidelines
Follow these guidelines when troubleshooting private VLAN issues:
Private VLAN Troubleshooting Commands
You can use the commands in this section to troubleshoot problems related to private VLANs.
To verify that a private VLAN is configured correctly, enter this command:
To verify if a physical Ethernet interface in a private VLAN trunk promiscuous mode is up, enter this command:
To verify if a virtual Ethernet interface in private VLAN host mode is up, enter this command:
To verify if a VEM is configured correctly, enter this command:
If additional information is required for Cisco Technical Support to troubleshoot a private VLAN issue, use the following commands: