Private Vlans And Vlan Interfaces; Private Vlans Across Multiple Devices; High Availability For Private Vlans; Virtualization Support For Private Vlans - Cisco Nexus 7000 Series Configuration Manual

Configuring Private VLANs Using NX-OS
• Configure selected interfaces connected to end stations as isolated ports to prevent any communication
• Configure interfaces connected to default gateways and selected end stations (for example, backup

Private VLANs and VLAN Interfaces

A VLAN interface to a Layer 2 VLAN is also called a switched virtual interface (SVI). Layer 3 devices
communicate with a private VLAN only through the primary VLAN and not through secondary VLANs.
Configure VLAN network interfaces only for primary VLANs. Do not configure VLAN interfaces for secondary
VLANs. VLAN network interfaces for secondary VLANs are inactive while the VLAN is configured as a
secondary VLAN. You will see the following actions if you misconfigure the VLAN interfaces:
• If you try to configure a VLAN with an active VLAN network interface as a secondary VLAN, the
• If you try to create and enable a VLAN network interface on a VLAN that is configured as a secondary
When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on the
primary VLAN is propagated to the secondary VLANs. For example, if you assign an IP subnet to the VLAN
network interface on the primary VLAN, this subnet is the IP subnet address of the entire private VLAN.

Private VLANs Across Multiple Devices

You can extend private VLANs across multiple devices by trunking the primary, isolated, and community
VLANs to other devices that support private VLANs. To maintain the security of your private VLAN
configuration and to avoid other uses of the VLANs configured to be private VLANs, configure private
VLANs on all intermediate devices, including devices that have no private VLAN ports.

High Availability for Private VLANs

The software supports high availability for both stateful and stateless restarts, as during a cold reboot, for
private VLANs. For the stateful restarts, the software supports a maximum of three retries. If you try more
than 3 times within 10 seconds of a restart, the software reloads the supervisor module.
You can upgrade or downgrade the software seamlessly, with respect to private VLANs.
Beginning with , if you configure private VLAN promiscuous or isolated trunk ports, you must unconfigure
those ports in order to downgrade the software.

Virtualization Support for Private VLANs

The software supports virtual device contexts (VDCs).
Each VLAN must have all of its private VLAN ports for both the primary VLAN and all secondary VLANs
in the same VDC. Private VLANs cannot cross VDCs.
at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication
between the servers.
servers) as promiscuous ports to allow all end stations access to a default gateway.
configuration is not allowed until you disable the VLAN interface.
VLAN, that VLAN interface remains disabled and the system returns an error.
Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.x
High Availability for Private VLANs
59