Chapter 15
Configuring Private VLANs
Private VLAN Port Configuration
When configuring private VLAN ports follow these guidelines:
•
•
•
•
•
•
Limitations with Other Features
When configuring private VLANs, consider these configuration limitations with other features:
In some cases, the configuration is accepted with no error messages, but the commands have no effect.
Note
•
•
•
•
•
•
OL-4266-08
Use only the private VLAN configuration commands to assign ports to primary, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
Do not configure ports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While
a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.
Enable PortFast and BPDU guard on isolated and community host ports to prevent STP loops due
to misconfigurations and to speed up STP convergence. (See
STP
Features".) When enabled, STP applies the BPDU guard feature to all PortFast-configured
Layer 2 LAN ports. Do not enable PortFast and BPDU guard on promiscuous ports.
If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated
with the VLAN become inactive.
Private VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
All primary, isolated, and community VLANs associated within a private VLAN must maintain the
same topology across trunks. You are highly recommended to configure the same STP bridge
parameters and trunk port parameters on all associated VLANs in order to maintain the same
topology.
Do not configure fallback bridging on routers with private VLANs.
A port is only affected by the private VLAN feature if it is currently in private VLAN mode and its
private VLAN configuration indicates that it is a primary, isolated, or community port. If a port is
in any other mode, such as Dynamic Trunking Protocol (DTP), it does not function as a private port.
Do not configure private VLAN ports on interfaces configured for these other features:
Port Aggregation Protocol (PAgP)
–
Link Aggregation Control Protocol (LACP)
–
Voice VLAN
–
You can configure IEEE 802.1x port-based authentication on a private VLAN port, but do not
configure 802.1x with port security, voice VLAN, or per-user ACL on private VLAN ports.
IEEE 802.1q mapping works normally. Traffic is remapped to or from dot1Q ports as configured, as
if received from the ISL VLANs.
With releases earlier than Release 12.2(18)SXE, you cannot configure port security on ports that are
in a private VLAN.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Private VLAN Configuration Guidelines and Restrictions
Chapter 21, "Configuring Optional
15-9