Table of Contents
Advertisement
Private VLAN Configuration Guidelines and Restrictions
A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a
•
SPAN destination port as a private VLAN port, the port becomes inactive.
•
A destination SPAN port should not be an isolated port. (However, a source SPAN port can be an
isolated port.) VSPAN could be configured to span both primary and secondary VLANs or,
alternatively, to span either one if the user is interested only in ingress or egress traffic.
When protocol filtering is enabled on a Supervisor Engine 1, all the required Local Target Logic
•
(LTL) buckets of a private VLAN port should be programmed with the appropriate secondary VLAN
indexes.
If using the shortcuts between different VLANs (if any of these VLANs is private) consider both
•
primary and isolated and community VLANs. The primary VLAN should be used both as the
destination and as the virtual source, because the secondary VLAN (the real source) is always
remapped to the primary VLAN in the Layer 2 FID table.
•
If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
Note
Do not configure private VLAN ports as EtherChannels. A port can be part of the private VLAN
•
configuration, but any EtherChannel configuration for the port is inactive.
Here are some restrictions for configuring groups of 12 ports as secondary ports:
•
Within groups of 12 ports (1–12, 13–24, 25–36, and 37–48), do not configure ports as isolated ports
or community VLAN ports when one port within the group of 12 ports is any of these:
If one port within the group of 12 ports is one of these ports listed and has the above properties, any
isolated or community VLAN configuration for other ports within the 12 ports is inactive. To
reactivate the ports, remove the isolated or community VLAN port configuration and enter the
shutdown and no shutdown commands.
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
13-10
Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the
associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated
in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the
replicated addresses are removed from the MAC address table.
The 12-port restriction applies to these 10 Mb, 10/100 Mb, and 100 Mb Ethernet switching
–
modules: WS-X6324-100FX, WS-X6348-RJ-45, WS-X6348-RJ-45V, WS-X6348-RJ-21V,
WS-X6248-RJ-45, WS-X6248A-TEL, WS-X6248-TEL, WS-X6148-RJ-45,
WS-X6148-RJ-45V, WS-X6148-45AF, WS-X6148-RJ-21, WS-X6148-RJ-21V,
WS-X6148-21AF, WS-X6024-10FL-MT. (CSCea67876).
–
A trunk port
A SPAN destination port
–
A promiscuous private VLAN port
–
In releases where CSCsb44185 is resolved, a port that has been configured with the switchport
–
mode dynamic auto or switchport mode dynamic desirable command
Chapter 13
Configuring Private VLANs
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
Related Products for Cisco WS-SUP32-GE-3B - Supervisor Engine 32
- Cisco WAN Modeling Tools
- Cisco WS-SUP720-3B - Supervisor Engine 720
- Cisco WS-SVC-AGM-1-K9= - Anomaly Guard Module
- Cisco WS-SVC-CMM-ACT-RF - Conferencing And Transcoding Port Adapter Voice DSP Module
- Cisco WS-SVC-ADM-1-K9= - Traffic Anomaly Detector Module
- Cisco WS-SVC-FWM-1-K9= - Firewall Service Module
- Cisco WS-SVC-IDS2-BUN-K9 - Intrusion Detection Sys Module 2
- Cisco WS-SVC-IPSEC-1= - IPSec VPN Services Module