Configuring an isolated or community PVLAN

You can use the pvlan type command to configure the PVLAN as an isolated or community PVLAN. The following are some configuration considerations to be noted for configuring isolated and community PVLANs.

Isolated VLANs

  • Every isolated VLAN should be in a unique primary VLAN domain.
  • A port being added to the isolated VLAN can be either a tagged port or an untagged port or a dual-mode port.
  • An isolated port (member of an isolated VLAN) communicates with the promiscuous port, if a promiscuous port is configured. If a switch-switch port is configured, the isolated port communicates with the switch-switch port also.
  • An isolated VLAN must be associated with the primary VLAN for traffic to be isolated between isolated VLAN ports and to be switched across primary VLAN ports.
  • An isolated VLAN is associated with only one primary VLAN in entire switched network.
  • A primary VLAN can be associated with only one isolated VLAN. An isolated VLAN can only be mapped to a promiscuous port and a switch-switch link port that belong to the same primary VLAN.

To configure an isolated PVLAN, enter commands such as the following. 

device(config)# vlan 901
device(config-vlan-901)# untagged ethernet 1/3/5 to 1/3/6
device(config-vlan-901)# pvlan type isolated

Community VLANs

  • Every community VLAN should be in a unique primary VLAN domain.
  • A port being added to the community VLAN can be either a tagged port or an untagged port or a dual-mode port.
  • A community VLAN is associated with only one primary VLAN and to the same primary VLAN in the entire switched network.
  • A primary VLAN can be associated with multiple community VLANs.
  • A community VLAN must be associated with the primary VLAN for traffic from the community port to be switched across primary VLAN ports

To configure a community PVLAN, enter commands such as the following. 

device(config)# vlan 901
device(config-vlan-901)# untagged ethernet 1/3/5 to 1/3/6
device(config-vlan-901)# pvlan type community

These commands create port-based VLAN 901, add ports 1/3/5 and 1/3/6 to the VLAN as untagged ports, then specify that the VLAN is a community PVLAN.

Syntax: untagged ethernet unit/slotnum/portnum [to unit/slotnum/portnum | ethernet unit/slotnum/portnum]

or

Syntax: tagged ethernet unit/slotnum/portnum [to unit/slotnum/portnum | ethernet unit/slotnum/portnum]

Syntax: [no] pvlan type community | isolated | primary

The untagged ethernet or taggd ethernet command adds the ports to the VLAN.

The pvlan type command specifies that this port-based VLAN is a PVLAN and can be of the following types:

  • community - Broadcasts and unknown unicasts received on community ports are sent to the primary port and also are flooded to the other ports in the community VLAN.
  • isolated - Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port. They are not flooded to other ports in the isolated VLAN.
  • primary - The primary PVLAN ports are "promiscuous". They can communicate with all the isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that are mapped to the promiscuous port.

Changing from one PVLAN type to another (for example, from primary to community or vice versa) is allowed but the mapping will be removed.

Parent topic: Configuration notes for PVLANs and standard VLANs