Thank you for your responces.
My goal is to create a port (specificaly a port-channel) where i will connect a firewall/router. This device will handle all inter-vlan routing, some of those vlans are regular vlans and some are private vlans. So a configuration is needed where regular vlans pass to the routing device as is and private vlans pass as regular vlans, this is becasue router / firewall device does not understand private vlans. I have previously performed this kind of configuration on Cat 6500, 4500 and Nexus 9000 series switches using interface cmd "switchport mode private-vlan trunk promiscuous". This command seem to be available for 9300 switches though ( https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-3/configuration_guide/vlan/b_173_vlan_9300_cg/configuring_private_vlans.html ).
The documents you pointed do not mention this feature and cmd "switchport mode private-vlan promiscuous" configures a host port, not a trunk port. The only hint that "private vlan promiscuous trunk ports" are supported is on the "Restriction" section for ver. 17.3 that states: Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) are supported only for Private VLAN promiscuous trunk ports and Private VLAN isolated trunk ports. so this needs more investigation.
My production swithes are on 16.12.2 so i can not test this. I will have to setup a testing enviroment.
Regards
