Check to ensure that the VLANs in question exist in all devices from the access device with the incorrect root all the way back to the actual root 6509. If each instance of spanning tree can't talk directly to the root, it will elect a root from amon...
I'm pretty sure you can use Subinterfaces on each side if you run ios on both sides...you'll still have some 802.1q config, but it would look something this:ROUTERinterface GigabitEthernet2/0 description ROUTER ip address 10.14.2.254 255.255.255.0!in...
You are correct, Private VLAN configuration alone will not restrict traffic from being routed properly between private vlans. You will need to at a minimum install ACLs on your router where the VLANs spawn, and VACLS at each L2 device where you inten...