Cisco Systems 3130 Private VLANs and Unicast, Broadcast, and Multicast Traffic , Private VLANs and SVIs, Private VLANs and Switch Stacks

15-5

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter15 Configuring Private VLANs Understanding Private VLANs

You should also see the “Secondary and Primary VLAN Configuration” section on page 15-7 under the

“Private-VLAN Configuration Guidelines” section.

Private VLANs and Unicast, Broadcast, and Multicast Traffic

In regular VLANs, devices in the same VLAN can communicate with each other at the Laye r 2 le vel, b ut

devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private

VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to

secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the

these VLANs can communicate with each other at the Layer 2 level.

In a regular VLAN, broadcasts are forwarded to all ports i n tha t V L AN. Private VLAN b ro adca st

forwarding depends on the port sending the broadcast:

•An isolated port sends a broadcast only to the promiscuous po rts o r trunk p orts.

•A community port sends a broadcast to all promiscuous ports, trun k por ts, and po rts in t he s am e

community VLAN.

•A promiscuous port sends a broadcast to all ports in the private VLAN (ot her p rom iscu ous po rts,

trunk ports, isolated ports, and community ports).

Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community

VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in

different secondary VLANs.

Private VLANs and SVIs

In a Layer 3 switch, a switch virtual interface (SVI) represents the Layer 3 interface o f a VLAN. L ayer3

devices communicate with a private VLAN only through the primary VLAN and not through secondar y

VLANs. Configure Layer 3 VLAN interfaces (SVIs) only for primary VLANs. You cannot configure

Layer3 VLAN interfaces for secondary VLANs. SVIs for secondary VLANs are inactive while the

VLAN is configured as a secondary VLAN.

•If you try to configure a VLAN with an active SVI as a secondary VLA N, the co nfigurat ion is no t

allowed until you disable the SVI.

•If you try to create an SVI on a VLAN that is configured as a secondary VLAN and the secondary

VLAN is already mapped at Layer 3, the SVI is not created, and an error is re turn ed. If the SVI is

not mapped at Layer 3, the SVI is created, but it is automatically shut down.

When the primary VLAN is associated with and mapped to the secondary VLAN, any configuration on

the primary VLAN is propagated to the secondary VLAN SVIs. For example, if you assign an IP subnet

to the primary VLAN SVI, this subnet is the IP subnet address of the entire private VLAN.

Private VLANs and Switch Stacks

Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different

stack members. However, some changes to the switch stack can impact private-VLAN operation:

•If a stack contains only one private-VLAN promiscuous por t and the stack me mber that conta ins that

port is removed from the stack, host ports in that private VLAN lose connectivity outside the private

VLAN.

•If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or

leaves the stack and a new stack master is elected, host ports in a private VLAN that h ad its

promiscuous port on the old stack master lose connectivity outside of the private VLAN.