Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

The private VLAN feature addresses two problems that service providers face when using VLANs:

• When running the IP Base or IP Services image, the switch supports up to 4094 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support.

• To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.

Figure 1. Private VLAN Domain. Using private VLANs addresses the scalability problem and provides IP address management benefits for service providers and Layer 2 security for customers. Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs, one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another.

There are two types of secondary VLANs:

• Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

• Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Private VLANs provide Layer 2 isolation between ports within the same private VLAN. Private VLAN ports are access ports that are one of these types:

• Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.

• Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from other ports within the same private VLAN, except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

• Community—A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities and from isolated ports within their private VLAN.

Note	Trunk ports carry traffic from regular VLANs and also from primary, isolated, and community VLANs.

Primary and secondary VLANs have these characteristics:

• Primary VLAN—A private VLAN has only one primary VLAN. Every port in a private VLAN is a member of the primary VLAN. The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the (isolated and community) host ports and to other promiscuous ports.

• Isolated VLAN —A private VLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway.

• Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. You can configure multiple community VLANs in a private VLAN.

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private VLAN servers from an administration workstation.

In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN.

You can use private VLANs to control access to end stations in these ways:

• Configure selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers.

• Configure interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway.

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community VLANs to other devices that support private VLANs. To maintain the security of your private VLAN configuration and to avoid other use of the VLANs configured as private VLANs, configure private VLANs on all intermediate devices, including devices that have no private VLAN ports.

Assigning a separate VLAN to each customer creates an inefficient IP addressing scheme:

• Assigning a block of addresses to a customer VLAN can result in unused IP addresses.

• If the number of devices in the VLAN increases, the number of assigned address might not be large enough to accommodate them.

These problems are reduced by using private VLANs, where all members in the private VLAN share a common address space, which is allocated to the primary VLAN. Hosts are connected to secondary VLANs, and the DHCP server assigns them IP addresses from the block of addresses allocated to the primary VLAN. Subsequent IP addresses can be assigned to customer devices in different secondary VLANs, but in the same primary VLAN. When new devices are added, the DHCP server assigns them the next available address from a large pool of subnet addresses.

Figure 2. Private VLANs Across Switches. As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port in Switch A does not reach an isolated port on Switch B.

Private VLANs are supported in transparent mode for VTP 1, 2 and 3. Private vlan is also supported on server mode for VTP 3. If we have a server client setup using VTP 3, private vlans configured on the server should be reflected on the client.

In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these VLANs can communicate with each other at the Layer 2 level.

In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding depends on the port sending the broadcast:

• An isolated port sends a broadcast only to the promiscuous ports or trunk ports.

• A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community VLAN.

• A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk ports, isolated ports, and community ports).

Multicast traffic is routed or bridged across private VLAN boundaries and within a single community VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in different secondary VLANs.

Private VLAN multicast forwarding supports the following:

• Sender can be outside the VLAN and the Receivers can be inside the VLAN domain.

• Sender can be inside the VLAN and the Receivers can be outside the VLAN domain.

• Sender and Receiver can both be in the same community vlan.

In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface of a VLAN. Layer 3 devices communicate with a private VLAN only through the primary VLAN and not through secondary VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure Layer 3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the VLAN is configured as a secondary VLAN.

• If you try to configure a VLAN with an active SVI as a secondary VLAN, the configuration is not allowed until you disable the SVI.

• If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary VLAN is already mapped at Layer 3, the SVI is not created, and an error is returned. If the SVI is not mapped at Layer 3, the SVI is created, but it is automatically shut down.

When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.

Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different stack members. However, the following changes to the stack can impact private-VLAN operation:

• If a stack contains only one private-VLAN promiscuous port and the stack member that contains that port is removed from the stack, host ports in that private VLAN lose connectivity outside the private VLAN.

• If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or leaves the stack and a new stack master is elected, host ports in a private VLAN that had its promiscuous port on the old stack master lose connectivity outside of the private VLAN.

• If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN configuration on the losing switch is lost when that switch reboots.

The Mac addresses learnt in the secondary VLAN are replicated to the primary VLAN and not vice-versa. This saves the hardware l2 cam space. The primary VLAN is always used for forwarding lookups in both directions.

Dynamic MAC addresses learned in Primary VLAN of a private VLAN are then, if required, replicated in the secondary VLANs. For example, if a mac-address is dynamically received on the secondary VLAN, it will be learnt as part of primary VLAN. In case of isolated VLANs, a blocked entry for the same mac will be added to secondary VLAN in the mac address table. So, mac learnt on host ports in secondary domain are installed as blocked type entries. All mac entries are learnt on secondary VLANs, even if the traffic ingresses from primary VLAN.

However, if a mac-address is dynamically learnt in the primary VLAN it will not get replicated in the associated secondary VLANS.

Users are not required to replicate the Static Mac Address CLI for private VLAN hosts as compare to legacy model.

Example:

• In the legacy model, if the user configures a static mac address, they need to add same mac static mac-address in the associated VLAN too. For example, if mac-address A is user configured on port 1/0/1 in VLAN 101, where VLAN 101 is a secondary VLAN and VLAN 100 is a primary VLAN, then the user has to configure

  mac-address static A vlan 101 interface G1/0/1
  mac-address static A vlan 100 interface G1/0/1

• In this switch, the user does not need to replicate the mac address to the associated VLAN. For the above example, user has to configure only

  mac-address static A vlan 101 interface G1/0/1 

Private VLANs are bidirectional in case of this switch, as compared to “Unidirectional” in other platforms.

After layer-2 forward lookup, proper egress VLAN mapping happens and all the egress VLAN based feature processing happens in the egress VLAN context.

When a frame in Layer-2 is forwarded within a private VLAN, the VLAN map is applied at the ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external port, the private-VLAN map is applied at the ingress side. Similarly, when the frame is routed from an external port to a Private VLAN, the private-VLAN is applied at the egress side. This is applicable to both bridged and routed traffic.

Bridging:

• For upstream traffic from secondary VLAN to primary VLAN, the MAP of the secondary VLAN is applied on the ingress side and the MAP of the primary VLAN is applied on the egress side.

• For downstream traffic from primary VLAN to secondary VLAN, the MAP of the primary VLAN is applied in the ingress direction and the MAP of the secondary VLAN is applied in the egress direction.

Routing

If we have two private VLAN domains - PV1 (sec1, prim1) and PV2 (sec2, prim2). For frames routed from PV1 to PV2:

• The MAP of sec1 and L3 ACL of prim1 is applied in the ingress port.

• The MAP of sec2 and L3 ACL of prim2 is applied in the egress port.

For packets going upstream or downstream from isolated host port to promiscuous port, the isolated VLAN’s VACL is applied in the ingress direction and primary VLAN’s VACL is applied in the egress direction. This allows user to configure different VACL for different secondary VLAN in a same primary VLAN domain.

Note	2-way community VLAN is now not required as the private VLANS on this switch are always bi-directional.

PVLAN will work seamlessly with High Availability (HA) feature. The Private VLAN existing on the master before switchover should be the same after switchover (new master should have similar PVLAN configuration both on IOS side and FED side as that of the old master).

No private VLANs are configured.

To configure a private VLAN, perform these steps:

Note	Private vlans are supported in transparent mode for VTP 1, 2 and 3. Private VLANS are also supported on server mode with VTP 3.

1.    Set VTP mode to transparent.

2.    Create the primary and secondary VLANs and associate them.

3.    Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host port.

4.    Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary VLAN pair.

5.    If inter-VLAN routing will be used, configure the primary SVI, and map secondary VLANs to the primary.

6.    Verify private-VLAN configuration.

1.    enable


2.    configure terminal


3.    vtp mode transparent


4.    vlan vlan-id


5.    private-vlan primary


6.    exit


7.    vlan vlan-id


8.    private-vlan isolated


9.    exit


10.    vlan vlan-id


11.    private-vlan community


12.    exit


13.    vlan vlan-id


14.    private-vlan community


15.    exit


16.    vlan vlan-id


17.    private-vlan association [add | remove] secondary_vlan_list


18.    end


19.    show vlan private-vlan [type] or show interfaces status

20.    copy running-config startup config

Switch> enable

Switch# configure terminal

Switch(config)# vtp mode transport

Switch(config)# vlan 20

Switch(config-vlan)# private-vlan primary

Switch(config-vlan)# exit

Switch(config)# vlan 501

Switch(config-vlan)# private-vlan isolated

Switch(config-vlan)# exit

Switch(config)# vlan 502

Switch(config-vlan)# private-vlan community

Switch(config-vlan)# exit

Switch(config)# vlan 503

Switch(config-vlan)# private-vlan community

Switch(config-vlan)# exit

Switch(config)# vlan 20

Switch(config-vlan)# private-vlan association 501-503

Switch(config)# end

Switch# show vlan private-vlan

Switch# copy running-config startup-config

Follow these steps to configure a Layer 2 interface as a private-VLAN host port and to associate it with primary and secondary VLANs:

Note	Isolated and community VLANs are both secondary VLANs.

1.    enable


2.    configure terminal


3.    interface interface-id


4.    switchport mode private-vlan host


5.    switchport private-vlan host-association primary_vlan_id secondary_vlan_id


6.    end


7.    show interfaces [interface-id] switchport


8.    copy running-config startup-config

Switch> enable

Switch# configure terminal

Switch(config)# interface gigabitethernet1/0/22

Switch(config-if)# switchport mode private-vlan host

Switch(config-if)# switchport private-vlan host-association 20 501

Switch(config)# end

Switch# show interfaces gigabitethernet1/0/22 switchport

Switch# copy running-config startup-config 

Follow these steps to configure a Layer 2 interface as a private VLAN promiscuous port and map it to primary and secondary VLANs:

Note	Isolated and community VLANs are both secondary VLANs.

1.    enable


2.    configure terminal


3.    interface interface-id


4.    switchport mode private-vlan promiscuous


5.    switchport private-vlan mapping primary_vlan_id {add | remove} secondary_vlan_list


6.    end


7.    show interfaces [interface-id] switchport


8.    copy running-config startup config

Switch> enable

Switch# configure terminal

Switch(config)# interface gigabitethernet1/0/2

Switch(config-if)# switchport mode private-vlan promiscuous

Switch(config-if)# switchport private-vlan mapping 20 add 501-503

Switch(config)# end

Switch# show interfaces gigabitethernet1/0/2 switchport

Switch# copy running-config startup-config

If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN and map secondary VLANs to the SVI.

Note	Isolated and community VLANs are both secondary VLANs.

Follow these steps to map secondary VLANs to the SVI of a primary VLAN to allow Layer 3 switching of private VLAN traffic:

1.    enable


2.    configure terminal


3.    interface vlan primary_vlan_id


4.    private-vlan mapping [add | remove] secondary_vlan_list


5.    end


6.    show interface private-vlan mapping


7.    copy running-config startup config

Switch> enable

Switch# configure terminal

Switch(config)# interface vlan 20

Switch(config-if)# private-vlan mapping 501-503

Switch(config)# end

Switch# show interfaces private-vlan mapping

Switch# copy running-config startup-config