Anda di halaman 1dari 5

Cisco

Systems,Inc.
Cisco Nexus 5000 Series NX-OS Software Configuration Guide
Configuring Private VLANs
Downloads: This chapter (PDF - 158.0KB) The complete oo! (PDF - ".#1$B) % Feedac!
Table Of Contents
Configuring Private VLANs
&o't Pri(ate )*&+s
Primar, and -econdar, )*&+s in Pri(ate )*&+s
.nderstandin/ Pri(ate )*&+ Ports
.nderstandin/ Primar,0 1solated0 and 2omm'nit, Pri(ate )*&+s
&ssociatin/ Primar, and -econdar, )*&+s
.nderstandin/ Broadcast Tra33ic in Pri(ate )*&+s
.nderstandin/ Pri(ate )*&+ Port 1solation
2on3i/'rin/ a Pri(ate )*&+
2on3i/'ration 4'idelines 3or Pri(ate )*&+s
5nalin/ Pri(ate )*&+s
2on3i/'rin/ a )*&+ as a Pri(ate )*&+
&ssociatin/ -econdar, )*&+s with a Primar, Pri(ate )*&+
2on3i/'rin/ an 1nter3ace as a Pri(ate )*&+ 6ost Port
2on3i/'rin/ an 1nter3ace as a Pri(ate )*&+ Promisc'o's Port
)eri3,in/ Pri(ate )*&+ 2on3i/'ration
Configuring Private VLANs
This chapter shows ,o' how to con3i/'re pri(ate )*&+s.
Note 7o' m'st enale the pri(ate )*&+ 3eat're e3ore ,o' can per3orm an, o3 the con3i/'rations in this chapter.
This chapter incl'des the 3ollowin/ sections:
8 &o't Pri(ate )*&+s
8 2on3i/'rin/ a Pri(ate )*&+
8 )eri3,in/ Pri(ate )*&+ 2on3i/'ration
About Private VLANs
& pri(ate )*&+ partitions the *a,er 9 roadcast domain o3 a )*&+ into s'domains0 allowin/ ,o' to isolate the ports on the switch 3rom each other. &
s'domain consists o3 a primar, )*&+ and one or more secondar, )*&+s (see Fi/'re :-1). &ll )*&+s in a pri(ate )*&+ domain share the same primar,
)*&+. The secondar, )*&+ 1D di33erentiates one s'domain 3rom another. The secondar, )*&+s ma, either e isolated )*&+s or comm'nit, )*&+s. &
host on an isolated )*&+ can onl, comm'nicate with the associated promisc'o's port in its primar, )*&+. 6osts on comm'nit, )*&+s can comm'nicate
amon/ themsel(es and with their associated promisc'o's port 't not with ports in other comm'nit, )*&+s.
Note & P)*&+ isolated port on a 2isco +e;'s 5000 -eries switch r'nnin/ the c'rrent release o3 2isco +<-=- does not s'pport 1555 809.1> encaps'lation and
cannot e 'sed as a tr'n! port.
Figure 7-1 Private VLAN Domain
Note 7o' m'st 3irst create the )*&+ e3ore ,o' can con(ert it to a pri(ate )*&+0 either primar, or secondar,. -ee 2hapter # ?2on3i/'rin/ )*&+s? 3or
in3ormation on creatin/ )*&+s.
This section incl'des the 3ollowin/ topics:
8 Primar, and -econdar, )*&+s in Pri(ate )*&+s
8 .nderstandin/ Pri(ate )*&+ Ports
8 .nderstandin/ Broadcast Tra33ic in Pri(ate )*&+s
8 .nderstandin/ Pri(ate )*&+ Port 1solation
Primary and e!ondary VLANs in Private VLANs
& pri(ate )*&+ domain has onl, one primar, )*&+. 5ach port in a pri(ate )*&+ domain is a memer o3 the primar, )*&+@ the primar, )*&+ is the entire
pri(ate )*&+ domain.
-econdar, )*&+s pro(ide isolation etween ports within the same pri(ate )*&+ domain. The 3ollowin/ two t,pes are secondar, )*&+s within a primar,
)*&+:
8 1solated )*&+sAPorts within an isolated )*&+ cannot comm'nicate directl, with each other at the *a,er 9 le(el.
8 2omm'nit, )*&+sAPorts within a comm'nit, )*&+ can comm'nicate with each other 't cannot comm'nicate with ports in other comm'nit, )*&+s
or in an, isolated )*&+s at the *a,er 9 le(el.
Cisco Nexus 5000 Series NX-OS
Software Configuration Guide
Index
Preface
Product Overview
Configuration Fundamentals
!N Switc"ing
Configuring #t"ernet
Interfaces
Configuring $!Ns
Configuring Private VLANs
Configuring %a&id P$S'(
Configuring )ulti&le S&anning
'ree
Configuring S'P #xtensions
Configuring Port C"annels
Configuring !ccess and 'run*
Interfaces
Configuring t"e )!C !ddress
'a+le
Configuring IG)P Snoo&ing
Configuring 'raffic Storm
Control
Switc" Securit, Features
S,stem )anagement
Fi+re C"annel over #t"ernet
-ualit, of Service
S!N Switc"ing
'rou+les"ooting
Page 1 of 5 Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private V...
060!"01! #tt$%www.cisco.co&cenustddocsswitc#esdatacenternexus5000swconfigurationg...
"nderstanding Private VLAN Ports
The t,pes o3 pri(ate )*&+ ports are as 3ollows:
8 Promisc'o'sA& promisc'o's port elon/s to the primar, )*&+. The promisc'o's port can comm'nicate with all inter3aces0 incl'din/ the comm'nit,
and isolated host ports0 that elon/ to those secondar, )*&+s associated to the promisc'o's port and associated with the primar, )*&+. 7o' can
ha(e se(eral promisc'o's ports in a primar, )*&+. 5ach promisc'o's port can ha(e se(eral secondar, )*&+s0 or no secondar, )*&+s0 associated
to that port. 7o' can associate a secondar, )*&+ to more than one promisc'o's port0 as lon/ as the promisc'o's port and secondar, )*&+s are
within the same primar, )*&+. 7o' ma, want to do this 3or load-alancin/ or red'ndanc, p'rposes. 7o' can also ha(e secondar, )*&+s that are not
associated to an, promisc'o's port.
8 1solatedA&n isolated port is a host port that elon/s to an isolated secondar, )*&+. This port has complete isolation 3rom other ports within the same
pri(ate )*&+ domain0 e;cept that it can comm'nicate with associated promisc'o's ports. Pri(ate )*&+s loc! all tra33ic to isolated ports e;cept tra33ic
3rom promisc'o's ports. Tra33ic recei(ed 3rom an isolated port is 3orwarded onl, to promisc'o's ports. 7o' can ha(e more than one isolated port in a
speci3ied isolated )*&+. 5ach port is completel, isolated 3rom all other ports in the isolated )*&+.
8 2omm'nit,A& comm'nit, port is a host port that elon/s to a comm'nit, secondar, )*&+. 2omm'nit, ports comm'nicate with other ports in the
same comm'nit, )*&+ and with associated promisc'o's ports. These inter3aces are isolated 3rom all other inter3aces in other comm'nities and 3rom
all isolated ports within the pri(ate )*&+ domain.
Note Beca'se tr'n!s can s'pport the )*&+s carr,in/ tra33ic etween promisc'o's0 isolated0 and comm'nit, ports0 the isolated and comm'nit, port tra33ic mi/ht
enter or lea(e the switch thro'/h a tr'n! inter3ace.
"nderstanding Primary# $solated# and Community Private VLANs
Primar, )*&+s and the two t,pes o3 secondar, )*&+s (isolated and comm'nit,) ha(e these characteristics:
8 Primar, )*&+A The primar, )*&+ carries tra33ic 3rom the promisc'o's ports to the host ports0 oth isolated and comm'nit,0 and to other promisc'o's
ports.
8 1solated )*&+ A&n isolated )*&+ is a secondar, )*&+ that carries 'nidirectional tra33ic 'pstream 3rom the hosts toward the promisc'o's ports. 7o'
can con3i/'re m'ltiple isolated )*&+s in a pri(ate )*&+ domain@ all the tra33ic remains isolated within each one. 5ach isolated )*&+ can ha(e se(eral
isolated ports0 and the tra33ic 3rom each isolated port also remains completel, separate.
8 2omm'nit, )*&+A& comm'nit, )*&+ is a secondar, )*&+ that carries 'pstream tra33ic 3rom the comm'nit, ports to the promisc'o's port and to
other host ports in the same comm'nit,. 7o' can con3i/'re m'ltiple comm'nit, )*&+s in a pri(ate )*&+ domain. The ports within one comm'nit, can
comm'nicate0 't these ports cannot comm'nicate with ports in an, other comm'nit, or isolated )*&+ in the pri(ate )*&+.
Fi/'re :-9 shows the tra33ic 3lows within a pri(ate )*&+0 alon/ with the t,pes o3 )*&+s and t,pes o3 ports.
Figure 7-% Private VLAN Traffi! Flo&s
Note The pri(ate )*&+ tra33ic 3lows are 'nidirectional 3rom the host ports to the promisc'o's ports. Tra33ic recei(ed on primar, )*&+ en3orces no separation and
3orwardin/ is done as in normal )*&+.
& promisc'o's port can ser(e onl, one primar, )*&+ and m'ltiple secondar, )*&+s (comm'nit, and isolated )*&+s). Bith a promisc'o's port0 ,o' can
connect a wide ran/e o3 de(ices as access points to a pri(ate )*&+. For e;ample0 ,o' can 'se a promisc'o's port to monitor or ac! 'p all the pri(ate
)*&+ ser(ers 3rom an administration wor!station.
1n a switched en(ironment0 ,o' can assi/n an indi(id'al pri(ate )*&+ and associated 1P s'net to each indi(id'al or common /ro'p o3 end stations. The
end stations need to comm'nicate onl, with a de3a'lt /atewa, to comm'nicate o'tside the pri(ate )*&+.
Asso!iating Primary and e!ondary VLANs
For host ports in secondar, )*&+s to comm'nicate o'tside the pri(ate )*&+0 ,o' associate secondar, )*&+s to the primar, )*&+. 13 the association is
not operational0 the host ports (comm'nit, and isolated ports) in the secondar, )*&+ are ro'/ht down.
Note 7o' can associate a secondar, )*&+ with onl, one primar, )*&+.
For an association to e operational0 the 3ollowin/ conditions m'st e met:
8 The pr)mar, )*&+ m'st e;ist and e con3i/'red as a primar, )*&+.
8 The secondar, )*&+ m'st e;ist and e con3i/'red as either an isolated or comm'nit, )*&+.
Note .se the s'o& commmand to (eri3, that the association is operational. The switch does not displa, an error messa/e when the association is
nonoperational. (-ee the ?)eri3,in/ Pri(ate )*&+ 2on3i/'ration? section 3or in3ormation on con3i/'ration (eri3ication.)
13 ,o' delete either the primar, or secondar, )*&+0 the ports that are aCsociated with the )*&+ ecome inacti(e. .se the no (rivate-vlan command to
ret'rn the )*&+ to the normal mode. &ll primar, and secondar, associations on that )*&+ are s'spended0 't the inter3aces remain in pri(ate )*&+
mode. Bhen ,o' con(ert the )*&+ ac! to pri(ate )*&+ mode0 the ori/inal associations are reinstated.
13 ,o' enter the no vlan command 3or the primar, )*&+0 all pri(ate )*&+ associations with that )*&+ are lost. 6owe(er0 i3 ,o' enter the no vlan command
3or a secondar, )*&+0 the pri(ate )*&+ associations with that )*&+ are s'spended and ret'rn when ,o' recreate the speci3ied )*&+ and con3i/'re it as
the pre(io's secondar, )*&+.
1n order to chan/e the association etween a secondar, and primar, )*&+0 ,o' m'st 3irst remo(e the c'rrent association and then add the desired
association.
"nderstanding )road!ast Traffi! in Private VLANs
Broadcast tra33ic 3rom ports in a pri(ate )*&+ 3lows in the 3ollowin/ wa,s:
Page " of 5 Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private V...
060!"01! #tt$%www.cisco.co&cenustddocsswitc#esdatacenternexus5000swconfigurationg...
8 The roadcast tra33ic 3lows 3rom a promisc'o's port to all ports in the primar, )*&+ (which incl'des all the ports in the comm'nit, and isolated )*&+s).
This roadcast tra33ic is distri'ted to all ports within the primar, )*&+0 incl'din/ those ports that are not con3i/'red with pri(ate )*&+ parameters.
8 The roadcast tra33ic 3rom an isolated port is distri'ted onl, to those promisc'o's ports in the primar, )*&+ that are associated to that isolated port.
8 The roadcast tra33ic 3rom comm'nit, ports is distri'ted to all ports within the portDs comm'nit, and to all promisc'o's ports that are associated to the
comm'nit, port. The roadcast pac!ets are not distri'ted to an, other comm'nities within the primar, )*&+0 or to an, isolated ports.
"nderstanding Private VLAN Port $solation
7o' can 'se pri(ate )*&+s to control access to end stations as 3ollows:
8 2on3i/'re selected inter3aces connected to end stations as isolated ports to pre(ent an, comm'nication. For e;ample0 i3 the end stations are ser(ers0
this con3i/'ration pre(ents comm'nication etween the ser(ers.
8 2on3i/'re inter3aces connected to de3a'lt /atewa,s and selected end stations (3or e;ample0 ac!'p ser(ers) as promisc'o's ports to allow all end
stations access to a de3a'lt /atewa,.
Configuring a Private VLAN
Note 7o' m'st ha(e alread, created the )*&+ e3ore ,o' can assi/n the speci3ied )*&+ as a pri(ate )*&+0
This section incl'des the 3ollowin/ topics:
8 2on3i/'ration 4'idelines 3or Pri(ate )*&+s
8 5nalin/ Pri(ate )*&+s
8 2on3i/'rin/ a )*&+ as a Pri(ate )*&+
8 &ssociatin/ -econdar, )*&+s with a Primar, Pri(ate )*&+
8 2on3i/'rin/ an 1nter3ace as a Pri(ate )*&+ 6ost Port
8 2on3i/'rin/ an 1nter3ace as a Pri(ate )*&+ Promisc'o's Port
Configuration *uidelines for Private VLANs
Bhen con3i/'rin/ pri(ate )*&+s0 3ollow these /'idelines:
8 7o' m'st enale pri(ate )*&+s e3ore the switch can appl, the pri(ate )*&+ 3'nctionalit,.
8 7o' cannot disale pri(ate )*&+s i3 the switch has an, operational ports in a pri(ate )*&+ mode.
8 5nter the (rivate-vlan syn!'roni+e command to map the secondar, )*&+s to the same $'ltiple -pannin/ Tree ($-T) instance as the primar, )*&+.
-ee the ?$appin/ -econdar, )*&+s to -ame $-T1 as Primar, )*&+s 3or Pri(ate )*&+s? section 3or more details.
,nabling Private VLANs
7o' m'st enale pri(ate )*&+s on the switch to 'se the pri(ate )*&+ 3'nctionalit,.
Note The pri(ate )*&+ commands do not appear 'ntil ,o' enale the pri(ate )*&+ 3eat're.
To enale pri(ate )*&+ 3'nctionalit, on the switch0 per3orm this tas!:
Command Pur(ose
te( 1 switch# configure terminal
5nters con3i/'ration mode.
te( % switch(config)# feature private-vlan
5nales the pri(ate )*&+ 3eat're on the switch.
This e;ample shows how to enale the pri(ate )*&+ 3eat're on the switch:
switch# configure terminal
switch(config)# feature private-vlan
To disale pri(ate )*&+ 3'nctionalit,0 per3orm this tas!:
Command Pur(ose
switch(config)# no feature
private-vlan
Disales the pri(ate )*&+ 3eat're on the switch.
Note 7o' cannot disale pri(ate )*&+s i3 there are operational ports on the switch
that are in pri(ate )*&+ mode.
Configuring a VLAN as a Private VLAN
To create a pri(ate )*&+0 ,o' 3irst create a )*&+0 and then con3i/'re that )*&+ to e a pri(ate )*&+. 5ns're that the pri(ate )*&+ 3eat're is enaled.
To create a pri(ate )*&+0 per3orm this tas!:
Command Pur(ose
te( 1 switch# configure terminal
5nters con3i/'ration mode.
te( % switch(config)# vlan {vlan-id
| vlan-range}
Places ,o' into the )*&+ con3i/'ration s'mode.
te( - switch(config-vlan)# private-
vlan {community | isolated |
primary}
2on3i/'res the )*&+ as either a comm'nit,0 isolated0 or primar, pri(ate
)*&+. 1n a pri(ate )*&+0 ,o' m'st ha(e one primar, )*&+. 7o' can
ha(e m'ltiple comm'nit, and isolated )*&+s.
This e;ample shows how to assi/n )*&+ 5 to a pri(ate )*&+ as the primar, )*&+:
switch# configure terminal
switch(config)# vlan 5
switch(config-vlan)# private-vlan primary
This e;ample shows how to assi/n )*&+ 100 to a pri(ate )*&+ as a comm'nit, )*&+:
switch(config-vlan)# exit
switch(config)# vlan 100
switch(config-vlan)# private-vlan community
This e;ample shows how to assi/n )*&+ 10E to a pri(ate )*&+ as an insolated )*&+:
switch(config-vlan)# exit
switch(config)# vlan 109
switch(config-vlan)# private-vlan isolated
To disale a pri(ate )*&+0 per3orm this tas!:
Command Pur(ose
Page ' of 5 Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private V...
060!"01! #tt$%www.cisco.co&cenustddocsswitc#esdatacenternexus5000swconfigurationg...
switch(config-vlan)# no
private-vlan {community |
isolated | primary}
Femo(es the pri(ate )*&+ con3i/'ration 3rom the speci3ied )*&+(s) and ret'rns it
to normal )*&+ mode. 13 ,o' delete either the primar, or secondar, )*&+0 the ports
that are associated with the )*&+ ecome inacti(e.
Asso!iating e!ondary VLANs &it' a Primary Private VLAN
Bhen ,o' associate secondar, )*&+s with a primar, )*&+0 3ollow these /'idelines:
8 The secondary-vlan-list parameter cannot contain spaces. 1t can contain m'ltiple comma-separated items. 5ach item can e a sin/le secondar, )*&+
1D or a h,phenated ran/e o3 secondar, )*&+ 1Ds.
8 The secondary-vlan-list parameter can contain m'ltiple comm'nit, and isolated )*&+ 1Ds.
8 5nter a secondary-vlan-list or 'se the add !e,word with a secondary-vlan-list to associate secondar, )*&+s with a primar, )*&+.
8 .se the remove !e,word with a secondary-vlan-list to clear the association etween secondar, )*&+s and a primar, )*&+.
8 7o' chan/e the association etween a secondar, and primar, )*&+ , remo(in/ the e;istin/ association and then addin/ the desired association.
13 ,o' delete either the primar, or secondar, )*&+0 the ports that are associated with the )*&+ ecome inacti(e. Bhen ,o' enter the no (rivate-vlan
command0 the )*&+ ret'rns to the normal )*&+ mode. &ll primar, and secondar, associations on that )*&+ are s'spended0 't the inter3aces remain in
pri(ate )*&+ mode. 13 ,o' a/ain con(ert the speci3ied )*&+ to pri(ate )*&+ mode0 the ori/inal associations are reinstated.
13 ,o' enter the no vlan command 3or the primar, )*&+0 all pri(ate )*&+ associations with that )*&+ are lost. 6owe(er0 i3 ,o' enter the no vlan command
3or a secondar, )*&+0 the pri(ate )*&+ associations with that )*&+ are s'spended and ret'rn when ,o' recreate the speci3ied )*&+ and con3i/'re it as
the pre(io's secondar, )*&+.
5ns're that the pri(ate )*&+ 3eat're is enaled.
To associate secondar, )*&+s with a primar, )*&+0 per3orm this tas!:
Command Pur(ose
te( 1 switch# configure terminal
5nters con3i/'ration mode.
te( % switch(config)# vlan primary-vlan-id
5nter the n'mer o3 the primar, )*&+ that ,o'
are wor!in/ in 3or the pri(ate )*&+ con3i/'ration.
te( - switch(config-vlan)# private-vlan association
{[add] secondary-vlan-list | remove secondary-
vlan-list}
&ssociates the secondar, )*&+s with the
primar, )*&+.
This e;ample shows how to associate comm'nit, )*&+s 100 thro'/h 10C and isolated )*&+ 10E with primar, )*&+ 5:
switch# configure terminal
switch(config)# vlan 5
switch(config-vlan)# private-vlan association 100-103, 109
To remo(e all associations 3rom the pri(ate )*&+0 per3orm this tas!:
Command Pur(ose
switch(config-vlan)# no private-vlan
association
Femo(es all associations 3rom the primar, )*&+ and ret'rns it to
normal )*&+ mode.
Configuring an $nterfa!e as a Private VLAN .ost Port
7o' can con3i/'re an inter3ace as a pri(ate )*&+ host port. 1n pri(ate )*&+s0 host ports are part o3 the secondar, )*&+s0 which are either comm'nit,
)*&+s or isolated )*&+s. 7o' then associate the host port with oth the primar, and secondar, )*&+s.
Note Be recommend that ,o' enale BPD. 4'ard on all inter3aces con3i/'red as a host ports. -ee 2hapter 10 ?2on3i/'rin/ -TP 5;tensions?3or in3ormation on
con3i/'rin/ BPD. 4'ard.
5ns're that the pri(ate )*&+ 3eat're is enaled.
To con3i/'re an inter3ace as a pri(ate )*&+ host port0 per3orm this tas!:
Command Pur(ose
te( 1 switch# configure terminal
5nters con3i/'ration mode.
te( % switch(config)# interface type slot/port
-elects the port to con3i/'re as a pri(ate )*&+ host port.
The inter3ace can e either a ph,sical 5thernet port.
te( - switch(config-if)# switchport mode
private-vlan host
2on3i/'res the port as a host port 3or a pri(ate )*&+.
te( / switch(config-if)# switchport private-
vlan host-association {primary-vlan-id}
{secondary-vlan-id}
&ssociates the port with the primar, and secondar, )*&+s
o3 a pri(ate )*&+. The secondar, )*&+ can e either an
isolated or comm'nit, )*&+.
This e;ample shows how to con3i/'re the 5thernet port 1G19 as a host port 3or a pri(ate )*&+ and associate it to primar, )*&+ 5 and secondar, )*&+
101:
switch# configure terminal
switch(config)# interface ethernet 1/12
switch(config-if)# switchport mode private-vlan host
switch(config-if)# switchport private-vlan host-association 5 101
To remo(e the pri(ate )*&+ association 3rom an inter3ace0 per3orm this tas!:
Command Pur(ose
switch(config-if)# no switchport private-vlan host-
association
Femo(es the pri(ate )*&+ association 3rom the
port.
Configuring an $nterfa!e as a Private VLAN Promis!uous Port
7o' can con3i/'re an inter3ace as a pri(ate )*&+ promisc'o's port0 and then ,o' can associate that promisc'o's port with the primar, and secondar,
)*&+s.
5ns're that the pri(ate )*&+ 3eat're is enaled.
To con3i/'re an inter3ace as a pri(ate )*&+ promisc'o's port0 per3orm this tas!:
Command Pur(ose
te( 1 switch# configure terminal
5nters con3i/'ration mode.
Page ! of 5 Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private V...
060!"01! #tt$%www.cisco.co&cenustddocsswitc#esdatacenternexus5000swconfigurationg...
te( % switch(config)# interface type slot/port -elects the port to con3i/'re as a pri(ate )*&+
promisc'o's port. & ph,sical inter3ace is re>'ired.
te( - switch(config-if)# switchport mode
private-vlan promiscuous
2on3i/'res the port as a promisc'o's port 3or a pri(ate
)*&+. 7o' can onl, enale a ph,sical 5thernet port as
the promisc'o's port.
te( / switch(config-if)# switchport private-vlan
mapping {primary-vlan-id} {secondary-vlan-
list | add secondary-vlan-list | remove
secondary-vlan-list}
2on3i/'res the port as a promisc'o's port and associates
the speci3ied port with a primar, )*&+ and a selected list
o3 secondar, )*&+s. The secondar, )*&+ can e either
an isolated or comm'nit, )*&+.
This e;ample shows how to con3i/'re port 1G9 as a promisc'o's port associated with the primar, )*&+ 5 and the secondar, isolated )*&+ 10E:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# switchport mode private-vlan promiscuous
switch(config-if)# switchport private-vlan mapping 5 109
7o' can onl, appl, this command to a ph,sical inter3ace.
To clear the pri(ate )*&+ mappin/0 per3orm this tas!:
Command Pur(ose
switch(config-if)# no switchport private-vlan mapping
2lears the mappin/ 3rom the pri(ate )*&+.
Verifying Private VLAN Configuration
To displa, pri(ate )*&+ con3i/'ration in3ormation0 'se the 3ollowin/ commands:
Command Pur(ose
switch# show system internal clis feature
Displa,s the 3eat'res enaled on the switch.
switch# show vlan private-vlan [type]
Displa,s the stat's o3 the pri(ate )*&+.
switch# show interface switchport
Displa,s in3ormation on all inter3aces con3i/'red as switchports.
The 3ollowin/ e;ample shows how to displa, the pri(ate )*&+ con3i/'ration:
switch# show vlan private-vlan
Primary Secondary y!e Ports
------- --------- --------------- -------------------------------------------
" #$$ comm%nity
" #$# comm%nity &th#/#'( veth#/#
" #$' comm%nity
" #$) comm%nity
" #$* isolated &th#/'
switch# show vlan private-vlan type
+lan y!e
---- -----------------
" !rimary
#$$ comm%nity
#$# comm%nity
#$' comm%nity
#$) comm%nity
#$* isolated
The 3ollowin/ e;ample shows how to displa, enaled 3eat'res:
switch# show system internal clis feature
, !vlan ena-led
Terms H 2onditions % Pri(ac, -tatement % 2oo!ie Polic, % Trademar!s
Page 5 of 5 Cisco Nexus 5000 Series NX-OS Software Configuration Guide - Configuring Private V...
060!"01! #tt$%www.cisco.co&cenustddocsswitc#esdatacenternexus5000swconfigurationg...