Configuring Private VLANs
•
•
•
•
•
•
•
•
•
Configuring Private VLANs
These sections describe how to configure private VLANs:
•
•
•
•
•
Note
If the VLAN is not defined already, the private VLAN configuration process defines it.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
10-4
and uses all intermediate values internally as a range. You should disable a root bridge with private
VLANs and MAC address reduction, and configure the root bridge with any priority higher than the
highest priority range used by any nonroot bridge.
You can apply different quality of service (QoS) configuration to primary, isolated, and community
VLANs (see
Chapter 32, "Configuring PFC
You cannot apply VACLs to secondary VLANs (see the
page
23-8).
To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer
3 VLAN interface of the primary VLAN (see
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to
the associated isolated and community VLANs.
Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration
applied to isolated and community VLANs is inactive while the VLANs are part of the private
VLAN configuration.
Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL
configuration applied to a primary VLAN is inactive while the VLAN are part of the private VLAN
configuration.
ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend
that you display and verify private VLAN interface ARP entries).
For security reasons, private VLAN port sticky ARP entries do not age out. Connecting a device with
a different MAC address but with the same IP address generates a message and the ARP entry is not
created.
Because the private VLAN port sticky ARP entries do not age out, you must manually remove
private VLAN port ARP entries if a MAC address changes. You can add or remove private VLAN
ARP entries manually as follows:
Router(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30
Router(config)# arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by hw:0000.5403.2356
Configuring a VLAN as a Private VLAN, page 10-5
Associating Secondary VLANs with a Primary VLAN, page 10-6
Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN, page 10-7
Configuring a Layer 2 Interface as a Private VLAN Host Port, page 10-8
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port, page 10-9
Chapter 10
QoS").
"Configuring VLAN ACLs" section on
Chapter 23, "Configuring Network
Configuring Private VLANs
Security").
78-14064-04