12-8
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-07
Chapter 12 Configuring Private VLANs
Configuring Private VLANs
–
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor sent or received traffic.
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
• Promiscuous ports must be NNIs; UNIs and ENIs cannot be configured as promiscuous ports.
• Use only the private-VLAN configuration commands to assign ports to primary, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
• Do not configure NNI ports that belong to a Port Aggregation Protocol (PAgP) or Link Aggregation
Control Protocol (LACP) EtherChannel as private-VLAN ports. While a port is part of the
private-VLAN configuration, any EtherChannel configuration for it is inactive.
• Enable Port Fast and BPDU guard on NNI isolated and community host ports to prevent STP loops
due to misconfigurations and to speed up STP convergence (see
Chapter 16, “Configuring Optional
Spanning-Tree Features”). When enabled, STP applies the BPDU guard feature to all Port
Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
• If you delete a VLAN used in the private-VLAN configuration, the private-VLAN ports associated
with the VLAN become inactive.
• Private-VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
• A community private VLAN can include no more than eight UNIs and ENIs. If you try to add more
than eight, the configuration is not allowed. If you try to configure a VLAN that includes a
combination of more than eight UNIs and ENIs as a community private VLAN, the configuration is
not allowed.
Limitations with Other Features
When configuring private VLANs, remember these limitations with other features:
Note In some cases, the configuration is accepted with no error messages, but the commands have no effect.
• When IGMP snooping is enabled on the switch (the default), the switch supports no more than 20
private-VLAN domains.
• A private VLAN cannot be a UNI-ENI isolated or UNI-ENI community VLAN. For more
information about UNI-ENI VLANs, see
Chapter 11, “Configuring VLANs.”
• Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN.
For more information about SPAN, see
Chapter 26, “Configuring SPAN and RSPAN.”
• Do not configure private-VLAN ports on interfaces configured for these other features:
–
dynamic-access port VLAN membership
–
PAgP (only NNIs or ENIs)
–
LACP (only NNIs or ENIs)
–
Multicast VLAN Registration (MVR)
To Next Page
Loading...
Need help?
General
