Configuring a Private VLAN in a Port Profile

This chapter contains the following sections:

Information About Private VLANs

Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. PVLANs achieve device isolation by applying Layer 2 forwarding constraints that allow end devices to share the same IP subnet while being Layer 2 isolated. In turn, the use of larger subnets reduces address management overhead.

For more information about PVLANs, see the Cisco Nexus 1000V Layer 2 Switching Configuration Guide.

Configuring a Port Profile as a Private VLAN

Before you begin

  • You are logged in to the CLI in EXEC mode.

  • You know the VLAN IDs for both the primary and secondary VLAN in the private VLAN pair.

  • You know whether this private VLAN inherits its configuration.

Procedure

  Command or Action Purpose
Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# port-profile [type {ethernet | vethernet }] name

Enters port profile configuration mode for the named port profile. If the port profile does not already exist, it is created using the following characteristics:

  • name —The port profile name can be up to 80 alphanumeric characters and must be unique for each port profile on the Cisco Nexus 1000V.

  • type —(Optional) The port profile type can be Ethernet or vEthernet. Once configured, the type cannot be changed. The default is the vEthernet type.

    Defining a port profile type as Ethernet allows the port profile to be used for physical (Ethernet) ports. In the vCenter Server, the corresponding port group can be selected and assigned to physical ports (PNICs).

    Note 

    If a port profile is configured as an Ethernet type, it cannot be used to configure VMware virtual ports.

Step 3

switch(config-port-prof)# switchport mode private-vlan {host | promiscuous |trunk promiscuous }

Designates the port profile for use as a private VLAN and defines the ports as follows:

  • promiscuous —vEthernet ports that belong to the primary VLAN and communicate with the Layer 3 gateway. Promiscuous ports can communicate with any interface in the PVLAN domain, including those associated with secondary VLANs.

  • host —vEthernet ports that belong to the secondary VLAN as one of the following:

    • Community PVLAN host port

    • Isolated PVLAN host port

  • trunk promiscuous —A physical Ethernet trunk port that carries both regular non-PVLAN traffic and PVLAN traffic. When traffic comes from a PVLAN host port, the packet is translated to the primary VLAN packet.

Step 4

switch(config-port-prof)# switchport private-vlan host-association primary-vlan secondary-vlan

Assigns the primary and secondary VLAN IDs to the port profile and saves this association in the running configuration.

  • primary-vlan —Specifies a primary VLAN ID. You can specify only one primary VLAN ID.

  • secondary-vlan —Specifies the secondary VLAN ID. You can specify only one secondary VLAN ID.

Step 5

switch(config-port-prof)# switchport private-vlan trunk allowed vlan vlan-range

Sets the allowed VLANs and VLAN IDs when interface is in private-vlan trunking mode.

Step 6

switch(config-port-prof)# switchport private-vlan mapping primary_vlan [add | remove ] secondary_vlan

Maps the primary VLAN ID to the secondary VLAN ID for the port profile.

  • primary-vlan —Specifies a primary VLAN ID. You can specify only one primary VLAN ID.

  • add —Associates the secondary VLAN to the primary VLAN.

  • remove —Clears the association between the secondary VLAN and the primary VLAN.

  • secondary-vlan —Specifies the secondary VLAN ID. You can specify only one secondary VLAN ID.

Step 7

switch(config-port-prof)# switchport private-vlan mapping trunk primary_vlan [add | remove ] secondary_vlan

Designates the primary private VLAN.

The range of valid values is 1 to 3967.

Step 8

(Optional) switch(config-port-prof)# show port-profile [brief | expand-interface | usage ] [name profile-name]

(Optional)

Displays the configuration for verification.

Step 9

(Optional) switch(config-port-prof)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Example

These examples show different ways that port profiles can be configured as private VLANs:

switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# port-profile type vethernet pvcomm
switch(config-port-prof)# vmware port-group
switch(config-port-prof)# switchport mode private-vlan host
switch(config-port-prof)# switchport private-vlan host-association 153 154
switch(config-port-prof)# no shutdown
switch(config-port-prof)# state enabled
switch(config-port-prof)# show run port-profile pv154

!Command: show running-config port-profile pv154
!Time: Fri Jan  7 15:10:43 2011

version 4.2(1)SV1(4)
port-profile type vethernet pv154
  vmware port-group
  switchport mode private-vlan host
  switchport private-vlan host-association 153 154
  no shutdown
  max-ports 1024
  state enabled


switch(config-port-prof)# port-profile type vethernet pvprom
switch(config-port-prof)# vmware port-group
switch(config-port-prof)# switchport mode private-vlan promiscuous
switch(config-port-prof)# switchport private-vlan mapping 153 154-155
switch(config-port-prof)# no shutdown
switch(config-port-prof)# state enabled
switch(config-port-prof)# show run port-profile pvprom

!Command: show running-config port-profile pvprom
!Time: Fri Jan  7 15:11:43 2011

version 4.2(1)SV1(4)
port-profile type vethernet pv153
  vmware port-group
  switchport mode private-vlan promiscuous
  switchport private-vlan mapping 153 154-155
  no shutdown
  max-ports 1024
  state enabled

switch(config-port-prof)# port-profile type ethernet pvpromtrunk
switch(config-port-prof)# vmware port-group
switch(config-port-prof)# switchport mode private-vlan trunk promiscuous
switch(config-port-prof)# switchport private-vlan mapping trunk 153 154-155
switch(config-port-prof)# switchport private-vlan mapping trunk 156 157
switch(config-port-prof)# switchport private-vlan trunk allowed vlan all
switch(config-port-prof)# no shutdown
switch(config-port-prof)# state enabled
switch(config-port-prof)# show run port-profile pvpromtrunk

!Command: show running-config port-profile pvpromtrunk
!Time: Fri Jan  7 15:12:24 2011

version 4.2(1)SV1(4)
port-profile type ethernet pvpromtrunk
  vmware port-group
  switchport mode private-vlan trunk promiscuous
  switchport private-vlan mapping trunk 153 154-155
  switchport private-vlan mapping trunk 156 157
  switchport private-vlan trunk allowed vlan 1-3967,4048-4093
  no shutdown
  state enabled

Feature History for Private VLAN Port Profiles

Feature Name

Release

Feature Information

Private VLAN port profiles

4.0(4)SV1(1)

This feature was introduced.