The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following are prerequisites for configuring private VLANs:
Follow these guidelines when configuring private VLANs:
Follow these guidelines when configuring private VLAN ports:
The following are restrictions for configuring private VLANs:
When configuring private VLANs, remember these limitations with other features:
Note |
In some cases, the configuration is accepted with no error messages, but the commands have no effect. |
Note |
Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the replicated addresses are removed from the MAC address table. |
Information About Private VLANs
The private VLAN feature addresses two problems that service providers face when using VLANs:
Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private VLAN ports are access ports that are one of these types:
Note |
Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs. |
Primary and secondary VLANs have these characteristics:
A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private VLAN servers from an administration workstation.
In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.
You can use private VLANs to control access to end stations in these ways:
You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private VLAN ports.
Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme:
These problems are reduced by using private VLANs, where all members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses.
Because VTP does not support private VLANs, you must manually configure private VLANs on all switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association in some switches in the network, the Layer 2 databases in these switches are not merged. This can result in unnecessary flooding of private VLAN traffic on those switches.
Private VLAN Interaction with Other Features
In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can communicate with each other at the Layer 2 level.
In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding depends on the port sending the broadcast:
Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs.
In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.
Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, some changes to the switch stack can impact private-VLAN operation:
To configure a private VLAN, perform these steps:
Note |
If the VLAN is not created already, the private VLAN configuration process creates it. |
No private VLANs are configured.
How to Configure Private VLANs
The private-vlan commands do not take effect until you exit VLAN configuration mode.
13.
private-vlan association [
add |
remove]
secondary_vlan_list
15. show vlan private-vlan [ type] or show interfaces status
Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs:
Note |
Isolated and community VLANs are both secondary VLANs. |
3.
switchport mode private-vlan host
4.
switchport private-vlan host-association
primary_vlan_id secondary_vlan_id
Beginning in privileged EXEC mode, follow these steps to configure a Layer 2 interface as a private VLAN promiscuous port and map it to primary and secondary VLANs:
Note |
Isolated and community VLANs are both secondary VLANs. |
3.
switchport mode private-vlan promiscuous
4.
switchport private-vlan mapping
primary_vlan_id {
add |
remove}
secondary_vlan_list
If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI.
Isolated and community VLANs are both secondary VLANs.
The private-vlan mapping interface configuration command only affects private VLAN traffic that is Layer 3 switched.
Beginning in privileged EXEC mode, follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private VLAN traffic:
2.
interface vlan
primary_vlan_id
3.
private-vlan mapping [
add |
remove]
secondary_vlan_list
Configuration Examples for Private VLANs
This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the configuration:
Switch# configure terminal Switch(config)# vlan 20 Switch(config-vlan)# private-vlan primary Switch(config-vlan)# exit Switch(config)# vlan 501 Switch(config-vlan)# private-vlan isolated Switch(config-vlan)# exit Switch(config)# vlan 502 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 503 Switch(config-vlan)# private-vlan community Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# private-vlan association 501-503 Switch(config-vlan)# end Switch(config)# show vlan private vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 20 501 isolated 20 502 community 20 503 community 20 504 non-operational
This example shows how to configure an interface as a private VLAN host port, associate it with a private VLAN pair, and verify the configuration:
Switch# configure terminal Switch(config)# interface gigabitethernet1/0/22 Switch(config-if)# switchport mode private-vlan host Switch(config-if)# switchport private-vlan host-association 20 501 Switch(config-if)# end Switch# show interfaces gigabitethernet1/0/22 switchport Name: Gi1/0/22 Switchport: Enabled Administrative Mode: private-vlan host Operational Mode: private-vlan host Administrative Trunking Encapsulation: negotiate Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: 20 501 Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: 20 501 <output truncated>
This example shows how to configure an interface as a private VLAN promiscuous port and map it to a private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are mapped to it.
Switch# configure terminal Switch(config)# interface gigabitethernet1/0/2 Switch(config-if)# switchport mode private-vlan promiscous Switch(config-if)# switchport private-vlan mapping 20 add 501-503 Switch(config-if)# end
This example shows how to map the interfaces fo VLANs 501 and 502 to primary VLAN 10, which permits routing of secondary VLAN ingress traffic from private VLANs 501 and 502:
Switch# configure terminal Switch(config)# interface vlan 10 Switch(config-if)# private-vlan mapping 501-502 Switch(config-if)# end Switch# show interfaces private-vlan mapping Interface Secondary VLAN Type --------- -------------- ----------------- vlan10 501 isolated vlan10 502 community
This example shows output from the show vlan private-vlan command:
Switch(config)# show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 10 501 isolated Gi2/0/1, Gi3/0/1, Gi3/0/2 10 502 community Gi2/0/11, Gi3/0/1, Gi3/0/4 10 503 non-operational
You can configure the following:
Related Topic | Document Title |
---|---|
For complete syntax and usage information for the commands used in this chapter. |
Standard/RFC | Title |
---|---|
— |
— |
MIB | MIBs Link |
---|---|
All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Release | Modification |
---|---|
Cisco IOS 15.0(2)EX1 |
This feature was introduced. |