Hi Renan,

Is it possible to configure private VLAN on the trunk port connecting from 3750 to the both 2960? But at the same time, VLAN 35 is able to communicate to 3750?

Hi Daniel,

     Private VLAN is a feature for access ports, trunk ports carry traffic from regular and all kinds of private VLANs.

     The way private VLANs works is this way.

Promiscuous port => those ports can talk to any private VLAN type, usually this is the port connected to the GW or let's say to an wireshark gathering all kind of data.

Isolated port => Can only talk to a promiscuous port, not with other private VLANs.

community port => Can only talk to the promiscuous port and other ports on the same community.

What exactly are you trying to do? Do you have a specific port on one of those switches that you do not want talking to the other ports? 

Hi Renan,

What I want was to prevent 2960 A client (10.35.0.10) to talk to 2960 B client (10.35.0.11). But at the same time VLAN 35 was able to pass from the 2960 A/B to 3750. 

I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.

But you can configure with private vlan.

let's say client A is in port f0/1 and client B in port f0/2

Parent (main) VLAN is 100 and child is 999

You would configure the VLANs in ALL switches.

vlan 999

private-vlan isolated

vlan 100

private-vlan primary

private-vlan association 999

Now you would need to configure the ports.

int range f0/1 - 2

switchport mode private-vlan host
switchport private-vlan host-association 100 999

If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.

interface vlan 100

private-vlan mapping 999

That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).

If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.

wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

Hi Renan,

Thanks for your prompt respond. For this case, Client A and Client B is located on 2 different switch. eg Client A is located at 2960 A and Client B is located on 2960 B. Between for 2960, it unable to create private VLAN. Only switchport protected is allow, that why I can only configure private VLAN on 3750 trunk port which is connected to the 2 x 2960 switches. 

Got it, just checked this link below, looks like 2960s do not support private vlan.

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10584-63.html

I believe you would need to use something else to do it, maybe VLAN filter...

In 3560 

ip access-list extended FILTER_CLIENTS_TRAFFIC_ACL
permit ip host 10.35.0.10 host 10.35.0.11
permit ip host 10.35.0.11 host 10.35.0.10

vlan access-map FILTER_CLIENTS_TRAFFIC_AM 10
match ip address FILTER_CLIENTS_TRAFFIC_ACL
action drop

vlan access-map FILTER_CLIENTS_TRAFFIC_AM 20
action forward

vlan filter FILTER_CLIENTS_TRAFFIC_AM vlan-list  100

Assuming  vlan 100 is the vlan in question.

Hi Renan,

Thanks for the information. I will give it a try.