Private Vlan Trunk including community vlans

Tobias Heisele · ‎02-04-2025

Hi,

I'm a bit confused with the private vlan commands. Maybe you can help me. I need to connect to add a server via trunk, that should contain "normal" vlans and a community vlan. This is my config:

interface Gi1/0/1
switchport mode private-vlan trunk (secondary?)
switchport private-vlan trunk allow vlan <list of primary vlans>
switchport private-vlan association trunk <primary-vlan> <community-vlan>

Doing this, I get the following error: "Community or Two-way community VLANS is not supported on private-vlan trunk ports."

What am I doing wrong? I am confused regarding the "association" and "mapping" commands. When do I need what? Maybe someone can help me out.

Joshqun Ismayilov · ‎02-04-2025

Hello @Tobias Heisele

In your case, PVLAN trunks do not support community VLANs. Use a normal trunk if you need to carry both regular VLANs and community VLANs.

PVLAN trunks are designed to carry only primary and isolated VLANs, not community VLANs.

Thanks !

vishalbhandari · ‎02-04-2025

@Tobias Heisele You're running into this error because community VLANs can't be configured directly on private VLAN trunk ports. Private VLAN trunks are designed to carry primary and isolated VLANs, but community VLANs are only supported on access ports. To connect a server that needs both normal VLANs and a community VLAN, consider using a regular trunk port instead of a private VLAN trunk. On that trunk, allow both the standard VLANs and the community VLAN. The private VLAN association command is used on primary VLANs to map isolated or community VLANs, but this mapping typically applies to access ports, not trunk ports.

Tobias Heisele · ‎02-04-2025

Which vlan tag is required on the server side? Primary or community vlan id?

paul driver · ‎02-05-2025

Hello
Just make the server connection a trunk, if it needs to carry "all"vlans - the same is true when you have two switches running Pvlans and they are interconnected , that interconnection is a basic trunk

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Tobias Heisele · ‎02-05-2025

But with which vlan id does the traffic for the community vlan be tagged? I suppose it need to be tagged with the secondary vlan-id. Correct?

bpss · ‎04-19-2025

@Tobias Heisele Correct. Primary VLANs are mostly a grouping concept.

Primary and secondary PVLANs are all still distinct VLANs, for L2 purposes, until or unless it gets routed, at which point they turn into the primary VLAN on egress toward the next hop (well...actually whatever VLAN is on the port facing that next hop, anyway).

The private VLAN types are roughly equivalent to these setups, if the PVLAN feature weren't there:

Isolated - An individual/distinct VLAN per port (as if each one had a different tag), with each one being bridged individually with the primary VLAN, and a VACL prohibiting bridging from one isolated port to anything but that one primary.
Community - A normal VLAN which is shared between all ports in that community VLAN, but bridged to the primary with a VACL prohibiting bridging from the community VLAN to other communities or isolated ports under the same primary.
Community two-way - Same as community, but also has more L3 features available. Not available on all platforms.
Primary - A normal VLAN that can talk to all of its secondaries, but which respects those VACL rules. The primary is also the one that can be associated with an SVI.

If the frame arrived at the switch on a port assigned to a given secondary VLAN, it is tagged with that secondary VLAN ID at ingress. It can then be forwarded within that PVLAN grouping per the rules of the type of PVLAN that VLAN is.

To successfully pass those frames over a normal trunk, if the switch is not also routing via an SVI and performing local proxy-arp (which is kind of a spot-cheat to "bridge" two ports that would normally be isolated from each other), you need to include that secondary VLAN ID on the trunk.

If both switches on a link support private VLANs, you should use a normal trunk and configure the same private VLANs on each switch either manually or via VTPv3 (VTPv2 doesn't support PVLAN). Otherwise, a switch that doesn't have the private VLANs configured won't treat them any differently than any other VLAN and will use normal forwarding/flooding rules to all ports with those VLANs assigned, while the switch that does have them configured will treat them as PVLANs. The result of that would be broken L3 connectivity beyond that point, since there's no bridging between them at all on the non-PVLAN switch.

You only use PVLAN trunks if the other device on the link doesn't understand PVLANs, but you still need to trunk multiple VLANs over that link. Examples might be a virtualization host that doesn't support or isn't licensed for PVLAN features (eg for VMWare, that's only available in distributed vswitches) or a router or switch with those restrictions, like a 2960X without at least the ip-lite license. It doesn't magically make that other device aware of the PVLANs and they will still treat them like normal VLANs, but it tells the switch that does understand PVLANs to treat those VLANs as PVLANs for that port for its own forwarding decisions.

Tobias Heisele · ‎04-21-2025

While implementing pvlan, I faced some challenges I wanna share here.

1. 9200s support PVLAN, but not PVLAN trunks. Now server-, storage- and network-admins have to share the same ip subnet (isolated pvlan) on the outofband network. Hopefully nobody will die.

2. You cannot pass a community vlan via pvlan trunk to and enddevice (like ESXi/PVE host). Use an isolated vlan instead and activate proxy-arp on the gateway (firewall). Now intra-vlan traffic can be restricted by a policy. Sell it as an security enhancement!