Private VLANs

*REQUIRES VTP MODE to be set to TRANSPARENT!!!

This belongs to L2 SECURITY rather then L2 SWITCHING

1. Promiscuous - belongs to PRIMARY VLAN, can communicate with EVERYONE
(config)#vlan 10
(config-vlan)#private-vlan primary
(config-vlan)#private-vlan association add 20,30,40

(config-if)#switchport mode private-vlan promiscuous
(config-if)#switchport private-vlan mapping 10 add 30,40,50 <---map Promiscuous VLAN 10 to Community and Isolated VLANs

2. Isolated - can only communicate with Promiscuous
(config)#vlan 40
(config-vlan)#private-vlan isolated

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 40

3. Community - Can communicate within the SAME community or with Promiscuous
(config)#vlan 30
(config-vlan)#private-vlan community

(config-if)#switchport mode private-vlan host
(config-if)#switchport private-vlan host-association 10 20 <--- Associate Community VLAN 20 with Promiscuous VLAN 10

DONT FORGET TO ASSOCIATE Secondary VLANs to the Primary, so that they can all communicate with Promiscuous:
(config-vlan)#private-vlan association add 20,30,40

 #show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
10      20        community   Et0/2
10      30        community   Et0/0
10      40        isolated            Et0/0

Primary VLAN can have MANY COMMUNITIES but ONLY ONE ISOLATED VLAN!!!