You might not want to make a L2 SVI if you use VTP pruning. If pruning is on, an unused VLAN will be pruned from the trunk, resulting in less unnecessary broadcast/flooding traffic. However, creating an SVI, creates an "active" interface on your switch. A quick check in GNS3 gives the following:
R1#show vlan-switch
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/1, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
3 VLAN0003 active
4 VLAN0004 active
[output omitted]
R1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/0 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0 1-4094
Port Vlans allowed and active in management domain
Fa1/0 1,3-4
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0 1
Now, if I go to R2, connected to Fa1/0 and type R2(config)#int vlan 3
, we will see the following:
R2#show run interface vlan 3
Building configuration...
Current configuration : 38 bytes
!
interface Vlan3
no ip address
end
R2#show run | include vlan 3
R2#
As you can see, no interfaces in VLAN 3, except the SVI. And back on R1:
R1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/0 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0 1-4094
Port Vlans allowed and active in management domain
Fa1/0 1,3-4
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0 1,3
As you can see, VLAN 3 just came up on the trunk, adding to the traffic levels on your trunks.
If you don't need to confuse your users with multiple VLANs, don't do it. Leverage the tools you have. You mentioned you have ISE and you should be able to do all this with one SSID. As AdnanG already mentioned, you can utilize the profiling features of ISE to classify the devices.
Your ACS should be able to tie into the MS AD authentication and be able to provide user authentication and group information.
From there, you just need to combine the user/groups with the device profiles and then tie it to a VLAN. So, for instance, if the device is identified as a cell phone and the user is part of "group A", then the get put in the "group A - internet" VLAN.
I haven't done it personally with ISE, so can't give exact steps, but this is how Cisco marketing is selling ISE in the BYOD space. I also know of several people who have done similar setups to what is suggested. I would start by looking through this Cisco BYOD document that would give you a general overview of how BYOD is done with with Cisco ISE.
Best Answer
Q: It is possible to map the private VLAN to both our access and voice SVIs? A: No. You are creating "In theory" a bridge between two main VLANs.
Q: Is it possible to have our access and voice "layer 2" VLAN statements associated with the same private VLAN? A: This is like haveing the same VLAN name on two different networks. The private VLAN scope is within its main VLAN. Technically it would not make the private VLAN part of two main VLANs but it might be against the allowed configuration to have the same name for two private VLANs on the same switch. I am not sure but logically it would be confusing.
Q: Can I assign the physical ports to have multiple private VLAN associations? A: I cant think of a reason for doing so except for the 'P' port which you will need to do on at least one port/SVI.
Check this link for a great explaination on private VLANs.