private-vlan (VLAN interface view)
Use private-vlan secondary to enable Layer 3 communication between secondary VLANs that are associated with a primary VLAN.
Use undo private-vlan to cancel the Layer 3 communication configuration for secondary VLANs that are associated with a primary VLAN.
Syntax
private-vlan secondary vlan-id-list
undo private-vlan [ secondary vlan-id-list ]
Default
Secondary VLANs are isolated at Layer 3.
Views
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
vlan-id-list: Specifies a space-separated list of up to 10 secondary VLAN items. Each item specifies a secondary VLAN ID or a range of secondary VLAN IDs in the form of vlan-id1 to vlan-id2. The value range for secondary VLAN IDs is 1 to 4094. The value for the vlan-id2 argument must be equal to or greater than the value for the vlan-id1 argument.
Usage guidelines
This command takes effect only when the following conditions exist:
This command is executed in VLAN interface view of the primary VLAN interface.
Secondary VLANs are associated with the primary VLAN.
No VLAN interfaces are created for secondary VLANs.
An IP address is assigned to the primary VLAN interface.
Local proxy ARP or ND is enabled on the primary VLAN interface.
You can create VLAN interfaces for secondary VLANs that are not enabled with Layer 3 communication. If secondary VLANs are enabled with Layer 3 communication, do not create VLAN interfaces for them.
When you execute this command in the same primary VLAN interface view multiple times, all the specified secondary VLANs are interoperable at Layer 3.
When you execute the undo private-vlan command, follow these guidelines:
If you specify the secondary vlan-id-list option, this command cancels the Layer 3 communication configuration only for the specified secondary VLANs.
If you do not specify the secondary vlan-id-list option, this command cancels the Layer 3 communication configuration for all secondary VLANs of the primary VLAN.
Examples
This example shows how to meet the following requirements:
VLAN 4 is a secondary VLAN, and it is associated with primary VLAN 2.
The uplink port (Ten-GigabitEthernet 1/0/2) is a promiscuous port of VLAN 2.
Downlink ports Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 are host ports of VLANs 3 and 4, respectively.
Secondary VLANs 3 and 4 can communicate at Layer 3.
# Configure VLAN 2 as a primary VLAN and associate it with secondary VLANs 3 and 4.
<Sysname> system-view [Sysname] vlan 3 to 4 [Sysname] vlan 2 [Sysname-vlan2] private-vlan primary [Sysname-vlan2] private-vlan secondary 3 to 4 [Sysname-vlan2] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/2) as a promiscuous port of VLAN 2.
[Sysname] interface ten-gigabitethernet 1/0/2 [Sysname-Ten-GigabitEthernet1/0/2] port private-vlan 2 promiscuous [Sysname-Ten-GigabitEthernet1/0/2] quit
# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3 and configure the port as a host port.
[Sysname] interface ten-gigabitethernet 1/0/3 [Sysname-Ten-GigabitEthernet1/0/3] port access vlan 3 [Sysname-Ten-GigabitEthernet1/0/3] port private-vlan host [Sysname-Ten-GigabitEthernet1/0/3] quit
# Assign downlink port Ten-GigabitEthernet 1/0/4 to VLAN 4 and configure the port as a host port.
[Sysname] interface ten-gigabitethernet 1/0/4 [Sysname-Ten-GigabitEthernet1/0/4] port access vlan 4 [Sysname-Ten-GigabitEthernet1/0/4] port private-vlan host [Sysname-Ten-GigabitEthernet1/0/4] quit
# Create VLAN-interface 2 and enable Layer 3 communication between secondary VLANs 3 and 4.
[Sysname] interface vlan-interface 2 [Sysname-Vlan-interface2] private-vlan secondary 3 to 4
# Assign an IP address to VLAN-interface 2.
[Sysname-Vlan-interface2] ip address 192.168.1.1 255.255.255.0
# Enable local proxy ARP on VLAN-interface 2.
[Sysname-Vlan-interface2] local-proxy-arp enable
Related commands
private-vlan (VLAN view)
private-vlan primary