15-8
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter15 Configuring Private VLANs
Configuring Private VLANs
Connecting a device with a different MAC address but with the same IP address generates a
message, and the ARP entry is not created. You must manually remove private-VLAN port ARP
entries if a MAC address changes.
You can remove a private-VLAN ARP entry by using the no arp ip-address global configurati on
command.
You can add a private-VLAN ARP entry by using the arp ip-address hardware- address type
global configuration command.
You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN
Maps” section on page 34-30). However, we recommend that you configure the same VLAN maps
on private-VLAN primary and secondary VLANs.
When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private-VLAN map is applied at the ingress side.
For frames going upstream from a host port to a promiscuous port, the VLAN map c onfigure d
on the secondary VLAN is applied.
For frames going downstream from a promiscuous port to a host p ort, the VL A N ma p
configured on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary
and secondary VLAN Layer 3 traffic.
Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3.
Private VLANs support these Switched Port Analyzer (SPAN) features:
You can configure a private-VLAN port as a SPAN source port.
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
Use only the private-VLAN configuration commands to assign ports to prima ry, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While
a port is part of the private-VLAN configuration, any EtherChannel configu ratio n f or it is in act ive.
Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loop s due
to misconfigurations and to speed up STP convergence (see Chapter 19, “Configuring Optional
Spanning-Tree Features”). When enabled, STP applies th e BP D U gu ar d f ea tur e to a l l P or t
Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
If you delete a VLAN used in the private-VLAN configuration, the private-VLAN por ts associated
with the VLAN become inactive.
Private-VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.