vlan 101 private-vlan community vlan 102 private-vlan isolated >>associate pvlans with Primary pvlan vlan 100 private-vlan primary private-vlan association 101,102 >>Configure the phy interfaces to the HOSTS switchport mode private-vlan host switchport private-vlan host-association 100 101 <<<primary, secondary >>Configure the SVI on the PRIMARY VLAN and associate to secondary SVI appears to be a promiscuos port SW1: interface Vlan100 ip address 10.1.1.100 255.255.255.0 private-vlan mapping 101 SW2: interface Vlan100 ip address 10.2.2.40 255.255.255.0 private-vlan mapping 102 >>>Config a PHY int as a promiscuous port SW1(config-if)#switchport mode private-vlan promiscuous SW1(config-if)#switchport private-vlan mapping 100 101 <<<primary, secondary >>Interfaces configs SW1(config-if-range)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous SW1(config-if-range)#switchport private-vlan host-association ? <1006-4094> Primary extended range VLAN ID of the private VLAN host port association <2-1001> Primary normal range VLAN ID of the private VLAN port association >>Cant reconfigure a private vlan once associated SW1(config-vlan)#vlan 101 SW1(config-vlan)#private-vlan isolated %Command rejected: invalid private vlan type assignment. Isolated VLAN 102 is al ready associated with primary VLAN 100. >>>boucning SW1(config-vlan)#vlan 100 SW1(config-vlan)#no private-vlan association 101 SW1(config-vlan)# SW1(config-vlan)# SW1(config-vlan)#vlan 101 SW1(config-vlan)#private-vlan isolated *Mar 2 00:29:29.049: %PV-6-PV_MSG: Purged a private vlan mapping, Primary 100, Secondary 101 *Mar 2 00:29:29.082: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c hanged state to downvlanno private-vlan association 101 *Mar 2 00:29:30.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/14, changed state to down *Mar 2 00:29:30.038: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/20, changed state to down *Mar 2 00:29:30.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/22, changed stateprivate-vlan isolated SW1(config-vlan)# SW1(config-vlan)# SW1(config-vlan)#vlan 100 SW1(config-vlan)#private-vlan association 101 SW1(config-vlan)#^Z SW1# *Mar 2 00:29:45.155: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100, Secondary 101 *Mar 2 00:29:45.180: %SYS-5-CONFIG_I: Configured from console by console (CIERS WB-LAB01, SJ) *Mar 2 00:29:45.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c hanged state to up *Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/14, changed state to up *Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/20, changed state to up *Mar 2 00:29:46.304: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth ernet0/22, changed state to up >>>private vlan ports only forward the PRIMARY vlan via STP SW1#sh vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22 102 isolated SW1#show spanning-tree int g0/1 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0100 Desg FWD 19 128.1 P2p SW1#show spanning-tree int g0/14 Vlan Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- VLAN0100 Desg FWD 19 128.14 P2p SW1# However....If you want to extend a privary vlan over a trunk port YOU MUST also allow the secondary vlan on the trunk You can extend private VLANs across multiple devices by trunking the primary, is olated, and community VLANs to other devices that support private VLANs. To main tain the security of your private-VLAN configuration and to avoid other use of t he VLANs configured as private VLANs, configure private VLANs on all intermediat e devices, including devices that have no private-VLAN ports. >>>You CAN remove a secondary vlan that is associated with a PRIMARY vlan withou t error SW2#sh vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 100 101 community <<<<associated 100 102 isolated Fa0/13, Fa0/20, Fa0/22 SW2# SW2# SW2# SW2#config term Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#no vl SW2(config)#no vlan 101 SW2(config)#^Z SW2#config term *Mar 2 00:43:32.959: %SYS-5-CONFIG_I: Configured from console by console (CIERS WB-LAB01, SJ? terminal SW2#sh vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 100 102 isolated Fa0/13, Fa0/20, Fa0/22 It took! >>>Only one ISOLATED vlan per primary vlan! >first an existing mapping where we try and change the secondary vlan type SW1(config-vlan)#private-vlan isolated %Command rejected: invalid private vlan type assignment. Isolated VLAN 101 is al ready associated with primary VLAN 100. >second a fresh mapping vlan 100 private-vlan primary end SW1(config-vlan)#private-vlan association 101,102 SW1(config-vlan)# *Mar 2 01:08:05.613: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, c hanged state to up SW1(config-vlan)# This looks like it took but not so fast.... *Mar 2 01:08:11.955: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100, Secondary 101 vlan 100 private-vlan primary private-vlan association 101 end we see 102 was left in the dust ! vlan 101 private-vlan isolated end SW1#sh run vlan 102 Building configuration... Current configuration: ! vlan 102 private-vlan isolated This could be made for some good tshooting! ! interface GigabitEthernet0/1 switchport private-vlan mapping 100 101-102 <<<<<102 is configured on this po rt switchport mode private-vlan promiscuous spanning-tree portfast end SW1# SW1# SW1# SW1#show pri SW1#show vl SW1#show vlan pri SW1#show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22 102 isolated <<<nothing s hows here SW1#sh run vlan 100 Building configuration... Current configuration: ! vlan 100 private-vlan primary private-vlan association 101 end SW1#show vlan private-vlan Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ 100 101 isolated Gi0/1, Gi0/14, Gi0/20, Gi0/22 100 102 community Gi0/1 <<<this is healthy Doc cd verbiage: A primary VLAN can have one isolated VLAN and multiple community VLANs associate d with it. An isolated or community VLAN can have only one primary VLAN associat ed with it. Although a private VLAN contains more than one VLAN, only one Spanning Tree Prot ocol (STP) instance runs for the entire private VLAN. When a secondary VLAN is a ssociated with the primary VLAN, the STP parameters of the primary VLAN are prop agated to the secondary VLAN. However: In my topology I have achieved two isolated vlans, but accross two switches R1 > SW1 >SW2 Sw1 has 102 configured as a community vlan because 101 is an isolated vlan SW2 only has 102, and it is configured as isolated vlan