Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Private vlans

I have a switch with community vlans, isolated vlans and a primary vlan. The primary vlan is connected to the default gateway which is a firewall. I need the firewall to use dot1q trunking so therefore need to change the uplink switch port to be a trunk. However as the switch is a Cat 3750 it appears that I can't still have the port in a primary vlan. Can I have a trunk & a primary vlan. If not and I just configure a trunk, will the switchport act as a primary port?


Re: Private vlans

3750 doesn't support trunking on it's PVLAN Promiscuous port. You need to move up in switch platform to gain that feature, 4500 or 6500 series.

If you try and set it up as a trunk you will get unexpected results. Your flows will not be routed correctly at L2. Assuming that the FW running the trunk is going to have a virtual interface per vlan. This is how the PIX does it. Your flows would leave one interface and return in another. A firewall would not like this.

Please rate any helpful posts



New Member

Re: Private vlans

Do you know that does 3560 support trunking on promiscuous ports? I have a situation where I have servers on isolated p.vlan 2000 on distribution layer switch. I don't want to do any p.vlan configuration to Core. So can communication happen between Core and servers on isolated vlan 2000 if the only vlan that goes through the trunk link is primary vlan 2001? Or do I have to put the isolated vlan also to the allowed vlans on trunk? and also every community vlan that I have?

So what I'am asking is that do the devices that don't have p.vlan on, see the all the community vlan etc. or do they only see the primary VLAN?


Re: Private vlans


CreatePlease login to create content