private-vlan association

To configure the association between a primary VLAN and a secondary VLAN on a private VLAN, use the private-vlan association command. To remove the association, use the no form of this command.

private-vlan association {[ add ] secondary-vlan-list | remove secondary-vlan-list }

no private-vlan association

Syntax Description

(Optional) Associates a secondary VLAN to a primary VLAN.
Number of the secondary VLAN.
Clears the association between a secondary VLAN and a primary VLAN.

Command Default


Command Modes

VLAN configuration mode

Command History

This command was introduced.

Usage Guidelines

You must enable private VLANs by using the feature private-vlan command before you can configure private VLANs. The commands for configuring private VLANs are not visible until you enable private VLANs.

If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive. When you enter the no private-vlan command, the VLAN returns to the normal VLAN mode. All primary and secondary associations on that VLAN are suspended, but the interfaces remain in private VLAN mode. However, when you reconvert the specified VLAN to private VLAN mode, the original associations are reinstated.

If you enter the no vlan command for the primary VLAN, all private VLAN associations with that VLAN are lost. However, if you enter the no vlan command for a secondary VLAN, the private VLAN associations with that VLAN are suspended and return when you recreate the specified VLAN and configure it as the previous secondary VLAN.

The secondary-vlan-list argument cannot contain spaces. It can contain multiple comma-separated items. Each item can be a single secondary VLAN ID or a hyphenated range of secondary VLAN IDs. The secondary-vlan-list parameter can contain multiple secondary VLAN IDs.

A private VLAN is a set of private ports that are characterized by using a common set of VLAN number pairs. Each pair is made up of at least two special unidirectional VLANs and is used by isolated ports and/or by a community of ports to communicate with routers.

Multiple community and isolated VLANs are allowed. If you enter a range of primary VLANs, the system uses the first number in the range for the association.

Isolated and community VLANs can only be associated with one primary VLAN. You cannot configure a VLAN that is already associated to a primary VLAN as a primary VLAN.

Note A private VLAN-isolated port on a Cisco Nexus 5000 Series switch running the current release of Cisco NX-OS does not support IEEE 802.1Q encapsulation and cannot be used as a trunk port.


This example shows how to create a private VLAN relationship between the primary VLAN 14, the isolated VLAN 19, and the community VLANs 20 and 21:

switch(config)# vlan 19
switch(config-vlan)# private-vlan isolated
switch(config)# vlan 20
switch(config-vlan)# private-vlan community
switch(config)# vlan 21
switch(config-vlan)# private-vlan community
switch(config)# vlan 14
switch(config-vlan)# private-vlan primary
switch(config-vlan)# private-vlan association 19-21

This example shows how to remove isolated VLAN 18 and community VLAN 20 from the private VLAN association:

switch(config)# vlan 14
switch(config-vlan)# private-vlan association remove 18,20

Related Commands

feature private-vlan
Enables private VLANs.
show vlan
Displays information about VLANs.
show vlan private-vlan
Displays information about private VLANs.