Private VLANs are used to isolate ports or groups of ports within the same primary VLAN/subnet. Shared resources like routers or servers are configured on promiscuous ports which can be reached by any member of a community or isolated private VLAN.
This is the configuration for SW1 where VLAN 100 is the primary VLAN, 101 is an isolated VLAN which can only communicate with promiscuous ports and 102 is a community VLAN that where hosts in the same secondary VLAN can communicate with each other and promiscuous ports.
vlan 100
private-vlan primary
private-vlan association 101-102
!
vlan 101
private-vlan isolated
!
vlan 102
private-vlan communityInterface E0/0 configuration. This is attached to the router.
interface Ethernet0/0
description ROUTER
switchport private-vlan mapping 100 101-102
switchport mode private-vlan promiscuous
Interfaces E1/0 and E1/1 belong to community VLAN 102
interface Ethernet1/0
switchport private-vlan host-association 100 102
switchport mode private-vlan host
!
interface Ethernet1/1
switchport private-vlan host-association 100 102
switchport mode private-vlan host
Interface E1/2 belongs to isolated VLAN 101
interface Ethernet1/2
description ISOLATED
switchport private-vlan host-association 100 101
switchport mode private-vlan host
With this configuration, VPC3 and VPC4 can ping each other along with the router. They cannot ping VPC5.
VPC5 can ping the router only.
