42-13
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 42 Configuring Private VLANs
Configuring PVLANs
• Do not include VLAN 1 or VLANs 1002 through 1005 in PVLANs.
• Use only PVLAN commands to assign ports to primary, isolated, community VLANs, or
twoway-community VLANs.
Layer 2 interfaces on primary, isolated, community VLANs, or twoway-community VLANs are
inactive in PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state.
• You cannot configure Layer 3 VLAN interfaces for secondary VLANs.
Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are inactive while the
VLAN is configured as an isolated or community VLAN.
• Do not apply dynamic access control entries (ACEs) to primary VLANs.
Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is
part of the PVLAN configuration.
• To prevent spanning tree loops due to misconfigurations, enable PortFast on the PVLAN trunk ports
with the spanning-tree portfast trunk command.
• Any VLAN ACL configured on a secondary VLAN is effective in the input direction, and any VLAN
ACL configured on the primary VLAN associated with the secondary VLAN is effective in the
output direction. Exception case is given below.
• On twoway-community host ports, secondary VLAN ACL and QoS are applied on egress unicast
routed traffic stemming from the integrated router port
• You can stop Layer 3 switching on an isolated or community VLAN by deleting the mapping of that
VLAN with its primary VLAN.
• PVLAN ports can be on different network devices as long as the devices are trunk-connected and
the primary and secondary VLANs remain associated with the trunk
• Isolated ports on two different devices cannot communicate with each other, but community VLAN
ports can.
• PVLANs support the following SPAN features:
–
You can configure a PVLAN port as a SPAN source port.
–
To monitor egress or ingress traffic separately, you can use VLAN-based SPAN (VSPAN) on
primary, isolated, community VLANs, twoway-community VLANs, or use SPAN on only one
VLAN.
For more information about SPAN, see Chapter 55, “Configuring SPAN and RSPAN.”
• A primary VLAN can be associated with multiple community VLANs, or twoway-community
VLANs, but only one isolated VLAN.
• An isolated or community VLAN can be associated with only one primary VLAN.
• If you delete a VLAN used in a PVLAN configuration, the PVLAN ports associated with the VLAN
become inactive.
• VTP does not support PVLANs. You must configure PVLANs on each device in which you plan to
use PVLAN ports.
• To maintain the security of your PVLAN configuration and avoid other use of VLANs configured
as PVLANs, configure PVLANs on all intermediate devices, even if the devices have no PVLAN
ports.
• Prune the PVLANs from trunks on devices that carry no traffic in the PVLANs.
To Next Page
Loading...
Need help?
General
