Introduction
A Private VLAN is a layer-2 network structure which an extension of the common VLAN. Within a Private VLAN domain there are three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint’s ability to communicate with other endpoints connected to ports within the Private VLAN. The three port designations are promiscuous, isolated, and community. Regardless of the combination of isolated, community, and promiscuous ports used within a Private VLAN, it is still one layer 2 domain and therefore only requires one IP subnet. The addressing model now changes whereby instead of allocating an individual subnet to each customer, a range of addresses from one or two common large IP networks is assigned. By allocating addressing from one or two common larger IP networks, the address waste is reduced.
Configuration
S1-VDC#
feature private-vlan
vlan 75
private-vlan isolated
vlan 130
name RAVPN-OUTSIDE
private-vlan primary
private-vlan association 75
vrf context Tier1-mgmt
ip route 172.16.1.8/29 172.16.1.2
interface Vlan60
no shutdown
vrf member Tier1-mgmt
ip address 172.16.1.1/29
interface Vlan130
no shutdown
private-vlan mapping 75
vrf member Tier1-mgmt
ip address 10.54.30.1/28
interface Ethernet2/1
switchport
switchport mode private-vlan promiscuous
switchport access vlan 130
switchport private-vlan mapping 130 75
no shutdown
interface Ethernet2/9
switchport
switchport mode private-vlan host
switchport private-vlan host-association 130 75
no shutdown
interface Ethernet2/10
switchport
switchport mode private-vlan host
switchport private-vlan host-association 130 75
no shutdown
