I find PVLAN as an interesting topic, interesting enough for me to post something about it.
Private VLANs (PVLAN) is usually implemented in environments where hosts belonging to the same subnet can be group into a separate sub vlans. Application of such scenario would be in a data center where servers in a server farm can belong to the same vlan but since each server is serving particular clients, they are not suppose to talk to each other nor receive a broadcast from neighbouring servers.
Another case is with ISPs, home subscribers would belong to a subnet but there should be a way where a subscriber can only access the gateway and not other clients within the subnet.
All these is possible with the use of Private VLAN. Its fairly simple to set up
- Determine your primary vlan (promiscuous port)
- Determine your secondary vlans (isolated, community ports)
Promiscuous ports are ports connected to the router, firewall or gateway. They are mapped to secondary vlans.
Isolated ports are associated with isolated vlans where hosts would only communicate with the gateway, host in the isolated vlan won’t receive each others broadcast.
Community ports are ports connected to the community vlan where hosts can communicate with each other and the promiscuous port.
Let begin configuring shall we? In my diagram above, let us say we are managing a mini-server farm and a couple of management hosts within the same switch using the same VLAN. All devices will use the router to reach the internet. Servers will be in isolated vlan 200, while management host will be in vlan 300.
conf t
vlan 200
private-vlan isolated
vlan 300
private-vlan community
vlan 100
private-vlan primary
private-vlan association 100 200,300
! configure our server farm to vlan 200
int range fa0/2 – 4
switchport mode private-vlan host
switchport private-vlan host-association 100 200
exit
! now let us configure our management hosts to vlan 300
int range fa0/5 – 7
switchport mode private-vlan host
switchport private-vlan host-association 100 300
! configure the promiscuous port leading to the router
int fa0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 200,300
Oh yeah and the show commands that can be used to verify stuff:
show int fa0/2 switchport
show vlan private-vlan
show vlan int fa0/2
A good way to test your lab would be to connect a couple of host on each vlan, make sure hosts on vlan 300 can ping each other and the gateway but can’t ping hosts in vlan 200.
host in vlan 200 won’t be able to ping anybody except the gateway. The whole point of this is all host should be in the same subnet.
Running-Config 
Did you get this working in gns3?
Hi,not in gns3 but actual gear, just used GNS3 to create a diagram. Not sure if the new IOU’s switching in GNS3 can actually do it.