Configuring Private VLANs on FEX Trunk Ports

Command or Action
Step 4
switch(config-if)# switchport private-vlan
association trunk {primary-vlan-id}
Step 5
switch(config-if)# no switchport private-vlan
association trunk [primary-vlan-id]
This example shows how to configure Ethernet interface 1/1 as an isolated trunk port for a PVLAN and then
associate the secondary VLANs to the primary VLAN:
switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# switchport mode private-vlan trunk secondary
switch(config-if)# switchport private-vlan association trunk 5 100
switch(config-if)# switchport private-vlan association trunk 6 200
Configuring Private VLANs on FEX Trunk Ports
To enable a FEX HIF configured as a normal dot1q trunk port, the system private-vlan fex trunk command
must be enabled to allow this interface to forward both primary and secondary VLAN traffic. FEX trunk ports
extend the PVLAN domain to all the hosts connected to it and when configured, globally affects all FEX ports
connected to the Cisco Nexus device.
The FEX interface does not support configurations that include promiscuous ports. Also, the FEX interface
does not support connections to devices that have promiscuous ports. When promiscuous functionally is
required, the device, such as a Cisco Nexus 1000V, must connect to the base ports of the Cisco Nexus
You must disable all the FEX isolated trunk ports and isolated host ports before configuring PVLANs on
the FEX trunk ports. If the FEX isolated trunk ports and the FEX trunk ports are both enabled, unwanted
network traffic might occur.
Before You Begin
Ensure that the PVLAN feature is enabled.
1. switch# configure terminal
2. switch(config)# system private-vlan fex trunk
3. (Optional) switch(config)# copy running-config startup-config
Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.1(3)N1(1)
Associates the isolated trunk port with the primary and secondary
VLANs of a PVLAN. The secondary VLAN should be an isolated
VLAN. Only one isolated VLAN can be mapped under a given
primary VLAN.
Removes the PVLAN association from the port. If the
primary-vlan-id is not supplied, all PVLAN associations are
removed from the port.
Configuring Private VLANs


