Private vlan over dot1q trunks with etherchannels

Similar Messages

• Catalyst series - Private VLAN over trunk

  Hey every body
  I was planning to implement a Cisco Nexus 5596 in a data center as it supports private VLAN over trunk.
  But now, I av been forced to use a Cisco Catalyst series instead of the Nexus one.
  Based on the feature that is very important for my manager (private VLAN over trunk), which Catalyst switch can be replaced with the Nexus 5596? In other words, what Catalyst series switch works at the same scale and efficiency of Nexus 5596 and supports private VLAN over trunk feature?
  Cheers

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Vlan over wireless bridge with internet sharing?

  Hi Community, my first post here, hoping somebody may be able to advise...
  I live on a farm which is too far for broadband but fortunately I also have an office in a nearby town and because I have line of sight I have setup a wireless bridge, this gives me 8 MBits which is wonderful. Some of my equipment, for example a NAS is on the farm, and I need to access them from the office via the wireless link and I occasinally use vnc to access my office desktop from the farm. This all works beautifully.
  Ok. now I want to share my internet with my neighbor on the farm, who, in a strange twist also rents an office next to mine downtown, so I would like to give him access to the internet and to his equipment he has there too.. but I don't want him to be able to access my equipment and visa versa I don't want to see his stuff...
  This sounds like a job for port based VLAN.. and so what I bought is two Linksys/Cisco SLM2005 layer2 switches in the hope that this would allow me to do what I want... but I'm not so sure now. In the office I use a draytek v2910 which has a vlan feature that allows me to separate the ports from each other, only giving them internet access.
  So... if I connect these two switches to each other, and I create a VLAN with the same id on each of the switches, will the corresponding vlans be shared, so, if you assume the following hardware setup:
  farm: slm2005 switch
  port 1 -> wireless bridge to office: member of vlan "2", "3"
  port 2 -> access point A for neighbor: member of vlan "2"
  port 3 -> my own access point B: member of vlan "3"
  office: slm2005 switch
  port 1 -> wireless bridge to farm: member of vlan "2", "3"
  port 2  -> access point C for neighbor: member of vlan "2"
  port 3 -> my access point for office D: member of vlan "3"
  port 4 -> router port 1: member of vlan "2"
  port 5 -> router port 2: member of vlan "3"
  the router (draytek v2910) is configured in such a way to separate port 1 and port 2 (otherwise there would be a loop...)
  The idea here is to create a vlan "2" for my neighbor and "3" for myself. but what's the correct way to consider the wireless bridge inbeetween (in fact, I think the same problem would occur if I just connected the two switches with a cable (if i had a 2 mile long one..)...)
  Will my neighbor be able to see both access points "A" and "C" and the internet, but not be my access points "B" and "D"? Or does this whole concept of VLAN over bridge not work like this, or not at all?
  Thanks in advance for any advice,
  Andres

  Hi Andreas,
  you're not far from it.
  Your whole concept is ok. What you just need is on the gateway of each subnet (I would presume it's the router in the office) to create an access list preventing to route between vlan 2 and 3.
  On all other devices,  traffic can't jump between vlans. But on a routing device that has the Vlan layer3 interfaces, traffic is routed between vlans so that's where you need to prevent it.
  With regards to vlans over wireless, you're also having the good concept. The point is to have only 1 ssid, that will be in a certain vlan, but also bridging the other vlans onto that ssid.
  This doc should help you out :
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanbr
  HTH,
  Nicolas
  Thanks to rank the answer if you see it as useful !

• Problems with vlan and dot1q trunking port

  Dear Folks,
  i have problems with my AccessPoint Konfiguration.
  Even when i set the Catalyst Port to trunk, i can only connect to VLAN 1 but not to VLAN 10.
  and if i change the port to statik vlan 10 i can not connect to the ap but it works...
  config below:
  User Access Verification
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 1200_PP_1
  logging queue-limit 100
  enable secret xxxx
  clock timezone A 1
  ip subnet-zero
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid DEPACNGLW0HS
  vlan 10
  authentication shared
  infrastructure-ssid
  mobility network-id 10
  speed basic-1.0 2.0 5.5 11.0
  rts threshold 2312
  channel 2412
  antenna receive right
  antenna transmit right
  station-role root
  interface Dot11Radio0.1
  no ip route-cache
  interface Dot11Radio0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 port-protected
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  speed 100
  full-duplex
  ntp broadcast client
  interface FastEthernet0.1
  encapsulation dot1Q 1
  no ip route-cache
  bridge-group 254
  no bridge-group 254 source-learning
  bridge-group 254 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.2.2.222 255.255.255.0
  no ip route-cache
  ip default-gateway 10.2.2.2
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
  ip radius source-interface BVI1
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  line vty 5 15
  login
  end
  it would be fine if anyone could help me....

  You configure Layer 3 Mobility with WLSM. No trunking is required on the CAT switch. However, you need to set the switch port on the CAT switch as access port in VLAN 10.
  Please post the WLSM and SUP720 configuration. Also, which VLAN do you want to access the AP?
  The following URL may be useful for you to verify the configuration:
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00802a86a7.html

• 3750 bandwidth limitation between the same vlan over the trunk

  Hi All,
  I have 2 3750G series switches on the trunk link. some machines are part of vlan1 on the switch 1 and some machines are the part of the same vlan1 on the other switch2. I need to limit the bandwidth between the switches for the vlan1. picture is attached.
  I tried to do through the modulare policy frame work (class-map/service-map and policy-map using the police command) but problems are
  1) 3750 does not support output service policy, so i cannot apply the policy on the output of the trunk link.
  2) I can apply the input policy but it will be only for one machine but not for the others on the same switch. if i apply the policy on per port basis then every port has separate bw limitation. I require to limit the bandwidth on per vlan basis on the trunk port. like vlan 1 takes 10 MB, VLAN2 takes 10 MB on the trunk link when communicating between the same vlans.
  Is there any solution for that scenario? your help in this case will be higly appriciated. As its the layer 2 communication, its hard for me to find the solution. if it was layer 3 then i can do it easily by using the rate-limit commmand on the interface.
  thanks

  On the 4500 series we use vlan-range for this,
  conf t
  qos aggregate-policer 10MB 10 mbps 1250000 byte conform-action transmit exceed-action drop
  policy-map 10MB
  class class-default
  police aggregate 10MB
  interface GigabitEthernet1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,10,12,15
  switchport mode trunk
  switchport nonegotiate
  vlan-range 1
  service-policy input 10MB
  service-policy output 10MB
  end
  dunno if the 3750's have the same options

• Third Party Phone over SIP Trunk with CUCM 9.x

  Hi all,
  I have a problem where my Third Party SIP phones wont go over the SIP trunk configured in my CUCM 9.x cluster. My Cisco phones work fine and goes out the trunk. I have noticed a distinct difference in wireshark with the invite packets from Third Party SIP phones and the Cisco ones.
  I have configured the SIP trunk in CUCM with the following route pattern (60.!#)and configured it with associated group and list. Heres the differense between the invite packets from Cisco and Third Party phones.
  Cisco Phone: INVITE sip.60xxxx%23@ipadress
  Third Party SIP Phone:  INVITE sip:[email protected]
  It seems the Cisco phones gets some extra configured the Third Party ones dont...
  Thanks in advance for any help.
  //Per

  Thanks for the answer
  Yeah i have DNS configured and i have the trunk pointed to a domain destination SRV record and like i said it works fine when calling from a Cisco phone. I tried changing the domain to an ip address but same result. I also changed the Plycom phone from being registered towards the domain of CUCM to an IP adress of CUCM and then the SIP INVITE messages in wireshark began to look kinda the same expet for the "%23" section but it still dont work.
  When i look at the Real Time Data in RTMT the orig and final called from the cisco phone has stripped the 60 and forwared the rest of the number towards the correct domain for the SIP trunk.
  When looking at the data from the Polycom phone the orig and final called data still contains the 60 prefix part and the called device name field is empty.  The termination Cause Code is that the number requested is Unallocated/Unassigned..
  In other words something is missing to get CUCM to strip 60 from the Polycom phones dialed number and send it towards the SIP trunk like it does when the Cisco phones call it.
  Unfortunatley i dont have the meens to attach the trace...
  Thanks again for any help/advice
  With regards, Per.

• Map Traffic over GE links with Etherchannel in 4500 platform

  Hi,
  Does anybody have experience with the command "show platform software etherchannel..." over 4500s?
  For instance:
  sw#sh platform software etherchannel port-channel 3 map ip 10.1.1.1 10.1.1.3
  Map port for Ip 10.1.1.1, 10.1.1.3 is Gi3/3(Po3)
  NOTE: Software forwarded traffic will use Gi3/1(Po3)
  We are concerned about the "Software Forwarded Traffic". One could think that is related to CPU forwarded traffic (L2 control traffic eg, CDP, PAgP, etc etc).
  However in some tests we are suspecting that ICMP traffic is passing through that link instead of the the link mentioned as "map port" (ICMP traffic not originated nor received at the switch).
  Is this command 100% reliable ?
  Thanks

  You can use the following command to verify which type of traffic (source/destination,
  mac/ip/l4-port) would select which member port within etherchannel.
  show platform software etherchannel port-channel map mac
  ex :
  Cat4507#$e etherchannel port-channel 2 map mac 0000.0000.0000 1111.1111.1111
  Map port for mac 0000.0000.0000, 1111.1111.1111 is Fa4/48(Po2)
  NOTE: Software forwarded traffic will use Fa4/48(Po2)
  Use the above command for a channel that is up.

• Private-VLAN and EtherChannel

  Hi,
  On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
  The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
  I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
  The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
  How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
  Is there a way to solve this without replacing the Private-VLANs with VLANs?
  Thanks in advance for your help!

  From "EtherChannel Configuration Guidelines"
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
  Do not configure a private-VLAN port as part of an EtherChannel.

• Dot1q-Trunk Cisco - Enterasys Matrix E7

  Hi,
  we're trying to build a 802.1q-Trunk between a Cisco Catalyst 3550 and an Enterasys Matrix E7 (6H352-25).
  The untagged (native: 1) VLAN works but the tagged VLANs don't.
  The Cisco Interface (Gi0/1) is configured as usual:
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  It doesn't look like a STP problem.
  Does anybody have any experience with that combination or ideas how to make it work?
  Thanks in advance
  Rolf Fischer

  When you connect a Cisco switch to a non-Cisco device through an 802.1Q trunk, the Cisco switch combines the spanning tree instance of the native VLAN of the trunk with the spanning tree instance of the non-Cisco 802.1Q switch. However, spanning tree information for each VLAN is maintained by Cisco switches separated by a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud separating the Cisco switches is treated as a single trunk link between the switches. Ensure the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the VLAN on one end of the trunk is different from the VLAN on the other end, spanning tree loops might result. Disabling spanning tree on any VLAN of an 802.1Q trunk can potentially cause spanning tree loops.

• Nexus 1000V private-vlan issue

  Hello
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  I need to transmit both the private-vlans (as promiscous trunk) and regular vlans on the trunk port between the Nexus 1000V and the physical switch. Do you know how to properly configure the uplink port to accomplish that ?
  Thank you in advance
  Lucas

  Control vlan is a totally seperate VLAN then your System Console. The VLAN just needs to be available to the ESX host through the upstream physical switch and then make sure the VLAN is passed on the uplink port-profile that you assign the ESX host to.
  We only need an interface on the ESX host if you decide to use L3 control. In that instance you would create or use an existing VMK interface on the ESX host.

• Heads Up: Private VLAN Sticky-ARP DHCP Issues

  Here is the scenario:
  Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
  DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
  A DHCP Server is offering 3 day leases.
  A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
  The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
  Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
  Log messages show the following:
  %IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
  The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
  However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
  There appears to be two sensible solutions to this problem:
  1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
  2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
  Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
  Regards,
  Brad

  Excellent question.
  Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
  Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
  In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
  Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
  When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
  In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
  Brad

• Private Vlan, Etherchannel and Isolated Trunk on Nexus 5010

  I'm not sure if I'm missing something basic here however i though that I'd ask the question. I recieved a request from a client who is trying to seperate traffic out of a IBM P780 - one set of VIO servers/clients (Prod) is tagged with vlan x going out LAG 1 and another set of VIO server/clients (Test) is tagged with vlan y and z going out LAG 2. The problem is that the management subnet for these devices is on one subnet.
  The infrastructure is the host device is trunked via LACP etherchannel to Nexus 2148TP(5010) which than connects to the distribution layer being a Catalyst 6504 VSS. I have tried many things today, however I feel that the correct solution to get this working is to use an Isolated trunk (as the host device does not have private vlan functionality) even though there is no requirement for hosts to be segregated. I have configured:
  1. Private vlan mapping on the SVI;
  2. Primary vlan and association, and isolated vlan on Distribution (6504 VSS) and Access Layer (5010/2148)
  3. All Vlans are trunked between switches
  4. Private vlan isolated trunk and host mappings on the port-channel interface to the host (P780).
  I haven't had any luck. What I am seeing is as soon as I configure the Primary vlan on the Nexus 5010 (v5.2) (vlan y | private-vlan primary), this vlan (y) does not forward on any trunk on the Nexus 5010 switch, even without any other private vlan configuration. I believe this may be the cause to most of the issues I am having. Has any one else experienced this behaviour. Also, I haven't had a lot of experience with Private Vlans so I might be missing some fundamentals with this configuration. Any help would be appreciated.

  Hello Emcmanamy, Bruce,
  Thanks for your feedback.
  Just like you, I have been facing the same problematic last months with my customer.
  Regarding PVLAN on FEX, and as concluded in Bruce’s previous posts I understand :
  You can configure a host interface as an isolated or community access port only.
  We can configure “isolated trunk port” as well on a host interface. Maybe this specific point could be updated in the documentation.  
  This ability is documented here =>
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_1170903
  You cannot configure a host interface as a promiscuous  port.
  You cannot configure a host interface as a private  VLAN trunk port.
  Indeed a pvlan is not allowed on a trunk defined on a FEX host interface.
  However since NxOS 5.1(3)N2(1), the feature 'PVLAN on FEX trunk' is supported. But a command has to be activated before => system private-vlan fex trunk . When entered a warning about the presence of ‘FEX isolated trunks’ is prompted.
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/layer2/513_N2_1/b_Cisco_n5k_layer2_config_gd_rel_513_N2_1_chapter_0101.html#task_16C0869F1B0C4A68AFC3452721909705
  All these conditions are not met on a N5K interface.
  Best regards.
  Karim

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Private Vlans and trunk mode

  if we have a primary vlan 100 associate with it
  vlan 11 over {fa0/2 work as host mode} , vlan 12 over {fa0/3 work as host mode} they work as secondry community vlan
  and vlan 13 as isolated secondry vlan over {fa0/4 host mode}
  How we can route between private vlans 11,12,13 and {vlan 50 fa0/5 access mode}
  cloud we use the fa 0/1 which connected to L3 device as promiscouous mode and trunk mode at the same time or what ... ??
  and

  Private vlan's are all on the same subnet, so from what you are writing I see:
  100-------------------------------
  | | |
  | | |
  11 12 13
  Fa0/2 fa/03 fa0/4
  and you want to route to Vlan 50, correct?
  In that case you need to trunk vlan 100 to a vlan interface and make sure that vlan 50 also has a routed interface on the same device.

• Private-VLAN trunk on 3560X

  Hi,
  I need to create Private-VLANs on 3650X, but is possible to configure this technology with 3560X switch and IOS 12.2(55)SE5?. I attach the topology.
  I want to configure the private VLANs on the VLAN 30, the isolated VLAN is the number 100 and the community VLAN is the 200. I guess that the interfaces trunk has to be set as promiscuous mode, is that correct?
  If the trunk is configuring as promiscuous mode, what happened with the others VLANs (10, 20 and 40), and what is the correct configuration for the interfaces trunk?

  Hi,
  Follow the config guide on how to configure private vlans:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html
  HTH