To allow the host
ports in secondary VLANs to communicate outside the private VLAN, you associate
secondary VLANs to the primary VLAN. If the association is not operational, the
host ports (isolated and community ports) in the secondary VLAN are brought
You can associate
a secondary VLAN with only one primary VLAN.
For an association
to be operational, the following conditions must be met:
The primary VLAN
VLAN must exist.
The primary VLAN
must be configured as a primary VLAN.
VLAN must be configured as either an isolated or community VLAN.
show command display to verify that the association is
operational. The device does not issue an error message when the association is
If you delete
either the primary or secondary VLAN, the ports that are associated with the
VLAN become inactive. When you reconvert the specified VLAN to private VLAN
mode, the original associations are reinstated.
If the association
is not operational on private VLAN trunk ports, only that VLAN goes down, not
the entire port.
When you enter the
private-vlan command, the VLAN returns to the normal VLAN mode. All
associations on that VLAN are suspended, but the interfaces remain in private
If you enter the
vlan command for the primary VLAN, all private VLAN associations with
that VLAN are lost. However, if you enter the
vlan command for a secondary VLAN, the private VLAN associations with
that VLAN are suspended and return when you recreate the specified VLAN and
configure it as the secondary VLAN.
is different from how Catalyst devices work.
In order to change
the association between a secondary and primary VLAN, you must first remove the
current association and then add the desired association.