private-vlan isolated

Use private-vlan isolated to isolate ports in a secondary VLAN at Layer 2.

Use undo private-vlan isolated to restore the default.

Syntax

private-vlan isolated

undo private-vlan isolated

Default

Ports in the same secondary VLAN can communicate with each other at Layer 2.

Views

VLAN view

Predefined user roles

network-admin

Usage guidelines

The private-vlan isolated command takes effect when the following conditions exist:

The secondary VLAN is associated with a primary VLAN.
The ports are configured as host or trunk secondary ports of the secondary VLAN.

If you assign the downlink ports to a secondary VLAN configured with this command, the downlink ports are isolated from each other at Layer 2.

The private-vlan isolated command is mutually exclusive with the primary VLAN configuration.

Examples

This example shows how to meet the following requirements:

VLAN 4 is a secondary VLAN, and it is associated with primary VLAN 2.
Ten-GigabitEthernet 1/0/1 is a promiscuous port of VLAN 2.
Ten-GigabitEthernet 1/0/2 and Ten-GigabitEthernet 1/0/3 are host ports of VLAN 4.
Ten-GigabitEthernet 1/0/2 and Ten-GigabitEthernet 1/0/3 are isolated at Layer 2 in secondary VLAN 4.

# Configure VLAN 2 as a primary VLAN and associate it with secondary VLAN 4.

<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] private-vlan primary
[Sysname-vlan2]private-vlan secondary 4
[Sysname-vlan4] quit

# Configure Ten-GigabitEthernet 1/0/1 as a promiscuous port of VLAN 2.

[Sysname] interface ten-gigabitethernet 1/0/1
[Sysname-Ten-GigabitEthernet1/0/1] port private-vlan 2 promiscuous
[Sysname-Ten-GigabitEthernet1/0/1] quit

# Assign Ten-GigabitEthernet 1/0/2 to VLAN 4 and configure the port as a host port.

[Sysname] interface ten-gigabitethernet 1/0/2
[Sysname-Ten-GigabitEthernet1/0/2] port access vlan 4
[Sysname-Ten-GigabitEthernet1/0/2] port private-vlan host
[Sysname-Ten-GigabitEthernet1/0/2] quit

# Assign Ten-GigabitEthernet 1/0/3 to VLAN 4 and configure the port as a host port.

[Sysname] interface ten-gigabitethernet 1/0/3
[Sysname-Ten-GigabitEthernet1/0/3] port access vlan 4
[Sysname-Ten-GigabitEthernet1/0/3] port private-vlan host

# Configure port isolation at Layer 2 in secondary VLAN 4.

[Sysname] vlan 4
[Sysname-vlan4] private-vlan isolated

Related commands

private-vlan (VLAN view)

private-vlan community

private-vlan primary

prev	up	next
private-vlan community	home	private-vlan primary