10-4
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
78-14064-04
Chapter 10 Configuring Private VLANs
Configuring Private VLANs
and uses all intermediate values internally as a range. You should disable a root bridge with private
VLANs and MAC address reduction, and configure the root bridge with any priority higher than the
highest priority range used by any nonroot bridge.
• You can apply different quality of service (QoS) configuration to primary, isolated, and community
VLANs (see Chapter 32, “Configuring PFC QoS”).
• You cannot apply VACLs to secondary VLANs (see the “Configuring VLAN ACLs” section on
page 23-8).
• To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer
3 VLAN interface of the primary VLAN (see Chapter 23, “Configuring Network Security”).
• Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to
the associated isolated and community VLANs.
• Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration
applied to isolated and community VLANs is inactive while the VLANs are part of the private
VLAN configuration.
• Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL
configuration applied to a primary VLAN is inactive while the VLAN are part of the private VLAN
configuration.
• ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend
that you display and verify private VLAN interface ARP entries).
• For security reasons, private VLAN port sticky ARP entries do not age out. Connecting a device with
a different MAC address but with the same IP address generates a message and the ARP entry is not
created.
• Because the private VLAN port sticky ARP entries do not age out, you must manually remove
private VLAN port ARP entries if a MAC address changes. You can add or remove private VLAN
ARP entries manually as follows:
Router(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30
Router(config)# arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356
Configuring Private VLANs
These sections describe how to configure private VLANs:
• Configuring a VLAN as a Private VLAN, page 10-5
• Associating Secondary VLANs with a Primary VLAN, page 10-6
• Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN, page 10-7
• Configuring a Layer 2 Interface as a Private VLAN Host Port, page 10-8
• Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port, page 10-9
Note If the VLAN is not defined already, the private VLAN configuration process defines it.
To Next Page
Loading...
Need help?
General
