Configuring Isolated Private VLANs on Catalyst Switches

Network Diagram

This document uses this network setup:

In this scenario, the devices in the isolated VLAN ("101") have a restriction from communication at Layer 2 with one another. However, the devices can connect to the Internet. In addition, port "Gig 3/26" on the 4006 has the promiscuous designation. This optional configuration allows a device on GigabitEthernet 3/26 to connect to all devices in the isolated VLAN. This configuration also allows, for example, the backup of the data from all the PVLAN host devices to an administration workstation. Other uses for promiscuous ports include connection to an external router, LocalDirector, network management device, and other devices.

Configure the Primary and Isolated VLANs

Perform these steps to create the primary and secondary VLANs, as well as to bind the various ports to these VLANs. The steps include examples for both CatOS and Cisco IOS Software. Issue the appropriate command set for your OS installation.

1. Create the primary PVLAN.
   
   • CatOS
     

          
     Switch_CatOS> (enable) set vlan primary_vlan_id 
     pvlan-type primary name primary_vlan
     
     
     
     !--- Note: Thise command should be on one line.
     
     VTP advertisements transmitting temporarily stopped,
     and will resume after the command finishes.
     Vlan 100 configuration successful

   • Cisco IOS Software
     

     Switch_IOS(config)#vlan primary_vlan_id
     
     Switch_IOS(config-vlan)#private-vlan primary
     
     Switch_IOS(config-vlan)#name primary-vlan
     
     Switch_IOS(config-vlan)#exit
     

2. Create the isolated VLAN or VLANs.
   
   • CatOS
     

     Switch_CatOS> (enable) set vlan secondary_vlan_id 
     pvlan-type isolated name isolated_pvlan
     
     
     
     !--- Note: This command should be on one line.
     
     VTP advertisements transmitting temporarily stopped,
     and will resume after the command finishes.
     Vlan 101 configuration successful 

   • Cisco IOS Software
     

     Switch_IOS(config)#vlan secondary_vlan_id
     
     Switch_IOS(config-vlan)#private-vlan isolated
     
     Switch_IOS(config-vlan)#name isolated_pvlan
     
     Switch_IOS(config-vlan)#exit    

3. Bind the isolated VLAN/VLANs to the primary VLAN.
   
   • CatOS
     

     Switch_CatOS> (enable) set pvlan primary_vlan_id secondary_vlan_id
     
     Vlan 101 configuration successful
     Successfully set association between 100 and 101.

   • Cisco IOS Software
     

     Switch_IOS(config)#vlan primary_vlan_id
     
     Switch_IOS(config-vlan)#private-vlan association secondary_vlan_id
     
     Switch_IOS(config-vlan)#exit
     

4. Verify the private VLAN configuration.
   
   • CatOS
     

     Switch_CatOS> (enable) show pvlan
     Primary Secondary Secondary-Type   Ports
     ------- --------- ---------------- ------------
     100     101       isolated     

   • Cisco IOS Software
     

     Switch_IOS#show vlan private-vlan
     Primary  Secondary  Type              Ports
     ------- --------- ----------------- -------
     100     101       isolated   

Assign Ports to the PVLANs

Tip: Before you implement this procedure, issue the show pvlan capability mod/port command (for CatOS) to determine if a port can become a PVLAN port.
Note: Before you perform Step 1 of this procedure, issue the switchport command in interface configuration mode to configure the port as a Layer 2 switched interface.

1. Configure the host ports on all the appropriate switches.
   
   • CatOS
     

     Switch_CatOS> (enable)set pvlan primary_vlan_id 
     secondary_vlan_id mod/port
     
     
     !--- Note: This command should be on one line.
     
     Successfully set the following ports to Private Vlan 100,101: 2/20

   • Cisco IOS Software
     

     Switch_IOS(config)#interface gigabitEthernet mod/port
     
     Switch_IOS(config-if)#switchport private-vlan host 
     primary_vlan_id secondary_vlan_id
     
     
     
     !--- Note: This command should be on one line.
     
     Switch_IOS(config-if)#switchport mode private-vlan host
     Switch_IOS(config-if)#exit
     

2. Configure the promiscuous port on one of the switches.
   
   • CatOS
     

     Switch_CatOS> (enable) set pvlan mapping primary_vlan_id 
     secondary_vlan_id mod/port
     
     
     !--- Note: This command should be on one line.
     
     Successfully set mapping between 100 and 101 on 3/26

     Note: For Catalyst 6500/6000 when the Supervisor Engine runs CatOS as the system software, the MSFC port on the Supervisor Engine (15/1 or 16/1) should be promiscuous if you wish to Layer 3 switch between the VLANs.
     
   • Cisco IOS Software
     

     Switch_IOS(config)#interface interface_type mod/port
     
     Switch_IOS(config-if)#switchport private-vlan 
     mapping primary_vlan_id secondary_vlan_id
     
     
     
     !--- Note: This command should be on one line.
     
     Switch_IOS(config-if)#switchport mode private-vlan promiscuous 
     Switch_IOS(config-if)#end