Table of Contents
Advertisement
Configuring Private VLANs
•
•
•
•
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
•
•
•
•
•
•
•
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
12-8
When a frame is Layer 2 forwarded within a private VLAN, the same VLAN map is applied at the
receiving and sending sides. When a frame is routed from inside a private VLAN to an external port,
the private-VLAN map is applied at the receiving side.
For frames going upstream from a host port to a promiscuous port, the VLAN map configured
–
on the secondary VLAN is applied.
For frames going downstream from a promiscuous port to a host port, the VLAN map
–
configured on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
If the switch is running the metro IP access image, you can apply router ACLs only on the
primary-VLAN SVIs. The ACL is applied to both primary and secondary VLAN Layer 3 traffic.
Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3.
Private VLANs support these Switched Port Analyzer (SPAN) features:
You can configure a private-VLAN port as a SPAN source port.
–
–
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor sent or received traffic.
Promiscuous ports must be NNIs; UNIs cannot be configured as promiscuous ports.
Use only the private-VLAN configuration commands to assign ports to primary, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
Do not configure NNI ports that belong to a Port Aggregation Protocol (PAgP) or Link Aggregation
Control Protocol (LACP) EtherChannel as private-VLAN ports. While a port is part of the
private-VLAN configuration, any EtherChannel configuration for it is inactive.
Enable Port Fast and BPDU guard on NNI isolated and community host ports to prevent STP loops
due to misconfigurations and to speed up STP convergence (see
Spanning-Tree
Features"). When enabled, STP applies the BPDU guard feature to all Port
Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
If you delete a VLAN used in the private-VLAN configuration, the private-VLAN ports associated
with the VLAN become inactive.
Private-VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
A community private VLAN can include no more than eight UNIs. If you try to add more than eight
UNIs, the configuration is not allowed. If you try to configure a VLAN that includes more than eight
UNIs as a community private VLAN, the configuration is not allowed.
Chapter 12
Configuring Private VLANs
Chapter 16, "Configuring Optional
78-17058-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
