14-13
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 14 Configuring Private VLANs
Configuring Private VLANs
Switch(config)# interface fastethernet0/2
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 20 add 501-503
Switch(config-if)# end
Use the show vlan private-vlan or the show interface status privileged EXEC command to display
primary and secondary VLANs and private-VLAN ports on the switch.
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface
If the private VLAN will be used for inter-VLAN routing, you configure an SVI for the primary VLAN
and map secondary VLANs to the SVI.
Note Isolated and community VLANs are both secondary VLANs.
Beginning in privileged EXEC mode, follow these steps to map secondary VLANs to the SVI of a
primary VLAN to allow Layer 3 switching of private-VLAN traffic:
Note The private-vlan mapping interface configuration command only affects private-VLAN traffic that is
switched through Layer 3.
When you map secondary VLANs to the Layer 3 VLAN interface of a primary VLAN, note this syntax
information:
The secondary_vlan_list parameter cannot contain spaces. It can contain multiple comma-separated
items. Each item can be a single private-VLAN ID or a hyphenated range of private-VLAN IDs.
Enter a secondary_vlan_list, or use the add keyword with a secondary_vlan_list to map the
secondary VLANs to the primary VLAN.
Use the remove keyword with a secondary_vlan_list to clear the mapping between secondary
VLANs and the primary VLAN.
This example shows how to map the interfaces of VLANs 501 and 502 to primary VLAN 10, which
permits routing of secondary VLAN ingress traffic from private VLANs 501 to 502:
Switch# configure terminal
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface vlan primary_vlan_id Enter interface configuration mode for the primary
VLAN, and configure the VLAN as an SVI. The VLAN
ID range is 2 to 1001 and 1006 to 4094.
Step 3 private-vlan mapping [add | remove]
secondary_vlan_list
Map the secondary VLANs to the Layer 3 VLAN
interface of a primary VLAN to allow Layer 3 switching
of private-VLAN ingress traffic.
Step 4 end Return to privileged EXEC mode.
Step 5 show interface private-vlan mapping Verify the configuration.
Step 6 copy running-config startup config (Optional) Save your entries in the switch startup
configuration file.