Extending Network and Subscriber VLANs to Other Switches

A network or subscriber VLAN can be extended to additional switches without a PVLAN configuration on the additional switches.

You might want to do this to connect to existing servers, switches, or other network devices. You probably do not want to use this approach to support clients, as tag translation and VLAN isolation are not supported unless the PVLAN is configured on all PVLAN switches as described in PVLAN Support over Multiple Switches.

The following figure illustrates PVLAN connections to switches outside the PVLAN.
expand icon
Private VLAN Connections to Switches Outside the PVLAN
../Graphics/EX_vlan_0004.svg

In the above figure, Switch 1, Network VLAN Port 21 connects to a Switch 3 port that only supports the Network VLAN.

In this configuration, the Network VLAN Port 21 on Switch 1 is configured as “translated,” which translates subscriber VLAN tags to the network VLAN tag for access to the Network VLAN extension on Switch 3. Switch 3, Port 24 is configured as tagged and only accepts traffic with the Network VLAN Tag. Switch 3 serves as an extension of the Network VLAN and can be used to connect to network devices such as servers or an internet gateway.

Switch 2, port 22 supports the Network, NonIsolated, and Isolated VLANs, but no PVLAN is configured.

Because port 22 supports multiple VLANs that are part of the PVLAN, and because these Switch 2 VLANs are not part of the PVLAN, Switch 1, port 24, must be configured as a PVLAN endpoint, which establishes the PVLAN boundary. Switch 2, port 22, is configured as a regular tagged VLAN port.

For most applications, it would be better to extend the PVLAN to Switch 2 so that the PVLAN features are available to the Switch 2 VLANs.

The configuration of Switch 2 behaves as follows:
  • The Switch 2 NonIsolated VLAN ports can communicate with the NonIsolated VLAN ports on Switch 1, but they cannot participate in VLAN translation.

  • The Switch 2 Isolated VLAN ports can communicate with other Switch 2 Isolated VLAN ports.

  • The Switch 2 Isolated VLAN ports cannot participate in VLAN translation.

  • The Switch 2 Isolated VLAN ports can receive broadcast and multicast info for the Isolated VLAN.

  • Traffic is allowed from the Switch 1 Isolated VLAN ports to the Switch 2 Isolated VLAN ports.