The main new feature introduced with 3560 catalyst switches is the private vlan feature.
It’s not that complicated as it seems to be.
Basically it a „switchport protected“ bound to vlan’s over trunk ports. It’s also similar like an RSPAN session, which is SPAN over differens switches.
So if you configure two ports as switchport protected in the same vlan on the same switch, they are not able to communicate with each other.
vlan 28
int f0/2
switchport access vl 28
switchport protected
int f0/3
switchport access vl 28
switchport protected
Now these ports are not able to communicate with each other.
This feature does not work, if ports are seperated over a trunk. At this points private vlan’s come into play.
You can define a private vlan and add isolated ports to this vlan, similiar as protected ports on the same switch. These isolated ports are also not able to communicate with each other. Vtp mode has to be in transparent mode and vlan assignments have to be made on both switches.
vtp mode transpartent
vlan 28
private-vlan primary
private-vlan association 281
vlan 281
private-vlan isolated
This defines the primary vlan and the vlan 281 where later isolated hoste are added.
Adding hosts looks like this:
inf f0/7
switchport private-vlan host-association 28 281
switchport mode private-vlan host
This adds an interface as an isolated port to the primary vlan 28.
You can now define a promiscuous port in vlan 28, which is able to communicate with these isolated ports.
f0/8
switchport private-vlan mapping 28 281
switchport mode private-vlan promiscuous
This promiscuous port will be able to communicate also with the SVI of the vlan, if there is any.
The communties are private-vlans inside a vlan, which build groups of ports that are able to communicate with each other only inside this private-vlan community. Different communities inside a vlan are also not able to talk to each other. There is no limitation for promisucous ports.
Source:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swpvlan.htm