15-7
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter15 Configuring Private VLANs Configuring Private VLANs
Private-VLAN Configuration Guidelines
Guidelines for configuring private VLANs fall into these categories:
Secondary and Primary VLAN Configuration, page 15-7
Private-VLAN Port Configuration, page 15-8
Limitations with Other Features, page 15-9

Secondary and Primary VLAN Configuration

Follow these guidelines when configuring private VLANs:
Set VTP to transparent mode. After you configure a private VLAN, you should not change the VTP
mode to client or server. For information about VTP, see Chapter13, “Configuring VTP.”
You must use VLAN configuration (config-vlan) mode to configure private VLANs. You cannot
configure private VLANs in VLAN database configuration mode. For more infor mat ion ab out
VLAN configuration, see “VLAN Configuration Mode Options” section on page 12-7.
After you have configured private VLANs, use the copy running-config startup config privileged
EXEC command to save the VTP transparent mode configuration and private-VLAN configuration
in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server
mode, which does not support private VLANs.
VTP does not propagate private-VLAN configuration. You must configure private VLANs on each
device where you want private-VLAN ports.
You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended
VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs
A primary VLAN can have one isolated VLAN and multiple community VLANs associa ted with it.
An isolated or community VLAN can have only one primary VLAN associated with it.
Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (S TP)
instance runs for the entire private VLAN. When a secondary VL AN is associated with the primary
VLAN, the STP parameters of the primary VLAN are propagated to the se conda ry V LAN .
You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the
primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary
VLAN, the configuration does not take effect if the primary VLAN is al rea dy configur ed .
When you enable IP source guard on private-VLAN ports, you must enable DHCP snoopi ng on the
primary VLAN.
We recommend that you prune the private VLANs from the trunks on devices that carry no traffic
in the private VLANs.
You can apply different quality of service (QoS) co nfig urations to prim ary , is olated, and co mmunity
VLANs.
When you configure private VLANs, sticky Address Resolution Protocol (ARP) is enabled by
default, and ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. For
security reasons, private VLAN port sticky ARP entries do not age out.
Note We recommend that you display and verify private-VLAN interface ARP en tri es.