1、私有VLAN解析

PVLAN分为Primary VLAN和Secondary VLAN，其中Secondary VLAN进一步分为隔离VLAN和团体VLAN，隔离VLAN和团体VLAN之间不能互访，但他们都能与Primary VLAN互访，隔离VLAN内部不能互访，团体VLAN内部可以互访。

端口角色

混杂端口：Primary VLAN端口

Host端口：隔离端口和团体端口

2、实验拓扑

3、基础配置

IOU1配置

no ip routing

interface Ethernet0/0

 ip address 192.168.1.1 255.255.255.0

IOU2配置

no ip routing

interface Ethernet0/0

 ip address 192.168.1.2 255.255.255.0

IOU3配置

no ip routing

interface Ethernet0/0

 ip address 192.168.1.3 255.255.255.0

IOU4配置

no ip routing

interface Ethernet0/0

 ip address 192.168.1.4 255.255.255.0

IOU5配置

no ip routing

interface Ethernet0/0

 ip address 192.168.1.5 255.255.255.0

4、PVLAN配置

配置透明模式（PVLAN必须配置在透明模式下）

vtp mode transparent

定义vlan

vlan 20

private-vlan primary 

vlan 501

private-vlan community 

vlan 502

private-vlan isolated 

关联vlan

vlan 20

private-vlan association 501,502  

将端口划进相应VLAN

int e1/0

switchport mode private-vlan promiscuous 

switchport private-vlan mapping 20 501,502

VLAN20为Primary VLAN，VLAN501、502为可以访问的Secondary VLAN

int range e0/0-1

switchport mode private-vlan host 

switchport private-vlan host-association 20 501

int range e0/2-3

switchport mode private-vlan host 

switchport private-vlan host-association 20 502

此时如果想让IOU2、IOU3、IOU4、IOU5都可以网关IOU6，需要做如下配置

ip routing

int vlan 20

ip address 192.168.1.20 255.255.255.0

private-vlan mapping 501,502