Private VLANs divide VLANs into multiple sub-VLANs. This is an old technology. 802.1x is a better alternative. Private VLANs use one Primary VLAN, which is the original VLAN, and multiple Secondary VLANs, which can be isolated or community type. Hence, the switch port can be assigned to one of these 3 VLANs. If it is a member of the Primary VLAN, it is called promiscuous port. Member of the isolated VLAN can only communicate to the promiscuous port (Primary VLAN). Members of the community VLAN can communicate between each other and the Primary VLAN (promiscuous port). Therefore, any devices that have to be reachable from both isolated and community sub-VLANs must be connected to the Primary VLAN (promiscuous ports).
If VTP version 2 is used, the VTP mode should be set to transparent. VTP version 3 supports all VTP modes for private VLANs.
config# vlan <sec-vlan-number> config-vlan# private-vlan isolated | community config-vlan# exit config# vlan <prim-vlan-number> config-vlan# private-vlan primary config-vlan# exit config# interface vlan <prim-vlan-number> config-if# private-vlan mapping <sec-vlan-number> config-if# exit config# interface <if-number> config-if# switchport access vlan <prim-vlan-number> config-if# switchport private-vlan mode host config-if# swtichport private-vlan host-association <prim-vlan-number> <sec-vlan-number> config-if# exit # show vlan private-vlan
Private VLAN Edge is a simplified version of Private VLAN, also known as protected port. The traffic segmentation policy cannot span across multiple switches. All communication between protected ports is blocked.