If you have really private traffic and want to isolate it at Layer-2 level , all right, you are welcome to Private VLAN. You can think a private VLAN like “VLAN in a VLAN”.There are many ways to set up security , but PVLANs do it at Layer-2. You can use access-lists , IPS , IDS and etc. too surely but one more time i am saying it this is a Layer-2 mechanism. You can create more VLANs at layer-2 to do this security surely but it is not gonna be so much effective. You need to design new VLANs so that means you need to design new IP blocks too. So easier way is making private VLANs.
There are three port types while we are using private VLANs :
Promiscuous: A promiscuous port can communicate with all the other port types including promiscous, community and isolated.
Community: Community port can communicate with themselves and with their promiscous ports.They also can’t communicate directly with another community which has different community id in the same primary VLAN.
Isolated: Isolated ports can not communicate with other isolated ports too even if they are in same VLAN. They can just communicate with promiscuous ports. So question is “how we can configure private VLAN” right ? Here is the answer from networkel.com :
PRIVATE VLAN CONFIGURATION
*** Assuming primary VLAN is 200…
SWITCH_A(conf)#vtp mode transparent SWITCH_A(conf)#vlan 200 SWITCH_A(config-vlan)#private-vlan primary SWITCH_A(conf)#vlan 205 SWITCH_A(config-vlan)#private-vlan community SWITCH_A(conf)#vlan 210 SWITCH_A(config-vlan)#private-vlan isolated
SWITCH_A(conf)#vlan 200 SWITCH_A(config-vlan)#private-vlan association 205,210
SWITCH_A(conf)#interface Fa 4/24 SWITCH_A(conf)#switchport private-vlan host association 200 205 SWITCH_A(conf)#interface Fa 4/25 SWITCH_A(conf)#switchport private-vlan host association 200 205 SWITCH_A(conf)#interface Fa 4/26 SWITCH_A(conf)#switchport private-vlan host association 200 210 SWITCH_A(conf)#interface Fa 4/27 SWITCH_A(conf)#switchport private-vlan promiscuous SWITCH_A(conf)#interface Fa 4/24 SWITCH_A(conf)#switchport private-vlan mapping 200 205,210
We can verify private vlans with the command below :
SWITCH_A#show vlan private-vlan