Cisco Catalyst 3560X-24P Command Reference Manual page 914

switchport mode private-vlan
A private-VLAN port cannot be a secure port and should not be configured as a protected port.
For more information about private-VLAN interaction with other features, see the software
configuration guide for this release.
We strongly recommend that you enable spanning tree Port Fast and bridge-protocol-data-unit (BPDU)
guard on isolated and community host ports to prevent STP loops due to misconfigurations and to speed
up STP convergence.
If you configure a port as a private-VLAN host port and you do not configure a valid private-VLAN
association by using the switchport private-vlan host-association interface configuration command,
the interface becomes inactive.
If you configure a port as a private-VLAN promiscuous port and you do not configure a valid private
VLAN mapping by using the switchport private-vlan mapping interface configuration command, the
interface becomes inactive.
Examples This example shows how to configure an interface as a private-VLAN host port and associate it to
primary VLAN 20. The interface is a member of secondary isolated VLAN 501 and primary VLAN 20.
When you configure a port as a private VLAN host port, you should also enable BPDU guard and Port
Note
Fast by using the spanning-tree portfast bpduguard default global configuration command and the
spanning-tree portfast interface configuration command.
Switch# configure terminal
Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 20 501
Switch(config-if)# end
This example shows how to configure an interface as a private VLAN promiscuous port and map it to a
private VLAN. The interface is a member of primary VLAN 20 and secondary VLANs 501 to 503 are
mapped to it.
Switch# configure terminal
Switch(config)# interface gigabitethernet 1/0/2
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 20 501-503
Switch(config-if)# end
You can verify private VLAN switchport mode by using the show interfaces interface-id switchport
privileged EXEC command.
Related Commands Command
private-vlan
show interfaces
switchport private-vlan
Catalyst 3750-X and 3560-X Switch Command Reference
2-882
Description
Configures a VLAN as a community, isolated, or primary VLAN or
associates a primary VLAN with secondary VLANs.
switchport Displays the administrative and operational status of a switching
(nonrouting) port, including private VLAN configuration.
Configures private VLAN associations and mappings between
primary and secondary VLANs on an interface.
Chapter 2 Catalyst 3750-X and 3560-X Cisco IOS Commands
OL-21522-02