When configuring PVLAN on a device, pay attention to the following points:
- One pair of PVLAN consists of only one primary VLAN and at least one secondary VLAN. One switch can configure multiple pairs of PVLAN.
- One primary VLAN can be associated with multiple community VLANs and only one isolated VLAN.
- A secondary VLAN (isolated or community) can be associated with one and only one primary VLAN, but not multiple primary VLANs.
- Each PVLAN port can only belong to one private VLAN (Primary VLAN, Isolated VLAN or Community VLAN), but not multiple PVLANs.
- PVLAN Host Port can only be added into one Isolated VLAN or one Community VLAN.
- PVLAN Promiscuous Port can only be added into one Primary VLAN.
- PVLAN ports cannot be added into any normal VLANs.
- Normal port cannot be added into private VLANs.
- For PVLAN ports, make sure that their native VLAN is a Private VLAN, otherwise the ports won’t be able to forward packets normally.
- PVLAN supports only MSTP feature, no other features are supported.
- Both primary VLAN and secondary VLAN should be in the same MSTP instance when MSTP is deployed with PVLAN.
- Do not enable DHCP relay or DHCP snooping on the switch enabled with PVLAN function.
- PVLAN can be configured on a physical port but not on a LAG interface.
- It is not supported to create the Layer 3 VLAN interface on a private VLAN.
- The configuration of static MAC address is not supported on the private VLANs.
- If you want to change a private VLAN to a normal VLAN, you need to remove the configurations for PVLAN-related binding relationship before you can remove the PVLAN mode configuration. For example, if you use the set vlans vlan-id <vlan-id> private-vlan association <secondary-vlan-list> command for PVLAN association, remove the binding relationship first before you can change the private VLAN to a normal VLAN.
Similarly, it is also required to remove the private VLAN related configuration before changing the role of a private VLAN to another PVLAN type, e.g. when changing the PVLAN type from primary VLAN to secondary VLAN.