15-9
Catalyst 3750 Switch Software Configuration Guide
78-16180-02
Chapter 15 Configuring Private VLANs
Configuring Private VLANs
Limitations with Other Features
When configuring private VLANs, remember these limitations with other features:
Note In some cases, the configuration is accepted with no error messages, but the commands have no effect.
• Do not configure fallback bridging on switches with private VLANs.
• When IGMP snooping is enabled on the switch (the default), the switch stack supports no more than
20 private-VLAN domains.
• IP source guard is not supported in private VLANs.
• Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN.
For more information about SPAN, see Chapter 27, “Configuring SPAN and RSPAN.”
• Do not configure private-VLAN ports on interfaces configured for these other features:
–
dynamic-access port VLAN membership
–
Dynamic Trunking Protocol (DTP)
–
Port Aggregation Protocol (PAgP)
–
Link Aggregation Control Protocol (LACP)
–
Multicast VLAN Registration (MVR)
–
voice VLAN
–
dynamic ARP inspection
• A private-VLAN port cannot be a secure port and should not be configured as a protected port.
• You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not
configure 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports.
• A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a
SPAN destination port as a private-VLAN port, the port becomes inactive.
• If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the
associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated
in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the
replicated addresses are removed from the MAC address table.
• Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs.
To Next Page
Loading...
Need help?
General