Setting Up Private VLANs
#Change VTP mode to Transparent
SW1#conf terminal
SW1(config)#vtp mode transparent
#Create Primary VLAN
SW1(config)#vlan 200
SW1(config-vlan)#private-vlan ?
association Configure association between private VLANs
community Configure the VLAN as a community private VLAN
isolated Configure the VLAN as an isolated private VLAN
primary Configure the VLAN as a primary private VLAN
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#exit
#Create Community VLAN
SW1(config)#vlan 205
SW1(config-vlan)#private-vlan community
SW1(config-vlan)#exit
#Create Isolated VLAN
SW1(config)#vlan 210
SW1(config-vlan)#private-vlan isolated
SW1(config-vlan)#exit
#Associate sub vlans to primary vlan
SW1(config)#vlan 200
SW1(config-vlan)#private-vlan association 205,210
SW1(config-vlan)#end
#Check created Vlans
SW1#show vlan private-vlan type
Vlan Type
---- -----------------
200 primary
205 community
210 isolated
#Port Configuration and associate Ports to Vlan
#Community Port Configuration
SW1#conf terminal
SW1(config)#interface Fa4/24
SW1(config-if)#switchport mode private-vlan ?
host Set the mode to private-vlan host
promiscuous Set the mode to private-vlan promiscuous
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping
SW1(config-if)#switchport private-vlan host-association ?
<1006-4094> Primary extended range VLAN ID of the private VLAN host port
association
<2-1001> Primary normal range VLAN ID of the private VLAN port
association
SW1(config-if)#switchport private-vlan host-association 200 ?
<1006-4094> Secondary extended range VLAN ID of the private VLAN host port
association
<2-1001> Secondary normal range VLAN ID of the private VLAN host port
association
SW1(config-if)#switchport private-vlan host-association 200 205
SW1(config-if)#interface Fa4/25
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 200 205
#Isolated Port Configuration
SW1(config)#interface Fa4/26
SW1(config-if)#switchport mode private-vlan host
SW1(config-if)#switchport private-vlan host-association 200 210
#Promiscuous Port Configuration
SW1(config-if)#interface Fa4/27
SW1(config-if)#switchport mode private-vlan promiscuous
SW1(config-if)#switchport private-vlan ?
association Set the private VLAN association
host-association Set the private VLAN host association
mapping Set the private VLAN promiscuous mapping
SW1(config-if)#switchport private-vlan mapping ?
<1006-4094> Primary extended range VLAN ID of the private VLAN promiscuous
port mapping
<2-1001> Primary normal range VLAN ID of the private VLAN promiscuous
port mapping
SW1(config-if)#switchport private-vlan mapping 200 ?
WORD Secondary VLAN IDs of the private VLAN promiscuous port mapping
add Add a VLAN to private VLAN list
remove Remove a VLAN from private VLAN list
SW1(config-if)#switchport private-vlan mapping 200 205,210
#Check Configuration
SW1#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
200 205 community Fa4/24, Fa4/25, Fa4/27
200 210 isolated Fa4/26, Fa4/27
SW1#show running-config
!
vtp mode transparent
!
vlan 200
private-vlan primary
private-vlan association 205,210
!
vlan 205
private-vlan community
!
vlan 210
private-vlan isolated
!
interface FastEthernet4/24
switchport private-vlan host-association 200 205
switchport mode private-vlan host
!
interface FastEthernet4/25
switchport private-vlan host-association 200 205
switchport mode private-vlan host
!
interface FastEthernet4/26
switchport private-vlan host-association 200 210
switchport mode private-vlan host
!
interface FastEthernet4/27
switchport private-vlan mapping 200 205,210
switchport mode private-vlan promiscuous
!
