11-22
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 11 Configuring VLANs
Configuring Private VLANs on the Switch
• You have the option of using the private VLAN communities, but you need to designate a
community VLAN for each community.
• Bind the isolated and/or community VLAN(s) to the primary VLAN and assign the isolated or
community ports. You will achieve these results:
–
Isolated/community VLAN spanning-tree properties are set to those of the primary VLAN.
–
VLAN membership becomes static.
–
The access ports become the host ports.
–
BPDU guard protection is activated.
• Set up the automatic VLAN translation that maps the isolated and community VLANs to the primary
VLAN on the promiscuous port(s). Set the nontrunk ports or the MSFC ports as promiscuous ports.
• You must set VTP to transparent mode.
Note This restriction does not apply with VTP version 3.
• After you configure a private VLAN, you cannot change the VTP mode to client or server mode,
because VTP does not support the private VLAN types and mapping propagation.
• You can configure the VLANs as primary, isolated, or community only if no access ports are
currently assigned to the VLAN. Enter the show port command to verify that the VLAN has no
access ports that are assigned to it.
• A primary VLAN can have one isolated VLAN and/or multiple communities that are associated with
it.
• An isolated or community VLAN can have only one primary VLAN that is associated with it.
• The private VLANs can use VLANs 2–1000 and 1025–4096.
• If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN
become inactive.
• When configuring the private VLANs, note the hardware and software interactions as follows:
–
You cannot use the inband port, sc0, in a private VLAN.
Note With software release 6.3(1) and later releases, you can configure the sc0 port as a
private VLAN port; however, you cannot configure the sc0 port as a promiscuous port.
–
You cannot set the private VLAN ports to trunking mode, channeling, or have dynamic VLAN
memberships, with the exception of the MSFC ports that always have trunking activated.
–
You cannot set the ports belonging to the same ASIC where one port is set to trunking or
promiscuous mode or is a SPAN destination and another port is set to isolated or community
port for the modules listed in Table 11-3. (Note that a promiscuous port can be defined in the same
ASIC as a trunk port but not within the same ASIC as an isolated or community port.)
If you attempt such a configuration, a warning message displays and the command is rejected.
Note Software release 8.6(1) and later releases provide support for configuring 802.1X with private VLANs.
For more information, see the “Configuring 802.1X Authentication with Private VLANs” section on
page 40-41.
To Next Page
Loading...
Need help?
General