Cisco Systems 3130 Private-VLAN Port Configuration

15-8

Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide

OL-13270-01

Chapter15 Configuring Private VLANs

Configuring Private VLANs

Connecting a device with a different MAC address but with the same IP address generates a

message, and the ARP entry is not created. You must manually remove private-VLAN port ARP

entries if a MAC address changes.

–

You can remove a private-VLAN ARP entry by using the no arp ip-address global configurati on

command.

–

You can add a private-VLAN ARP entry by using the arp ip-address hardware- address type

global configuration command.

•You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN

Maps” section on page 34-30). However, we recommend that you configure the same VLAN maps

on private-VLAN primary and secondary VLANs.

•When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the

ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external

port, the private-VLAN map is applied at the ingress side.

–

For frames going upstream from a host port to a promiscuous port, the VLAN map c onfigure d

on the secondary VLAN is applied.

–

For frames going downstream from a promiscuous port to a host p ort, the VL A N ma p

configured on the primary VLAN is applied.

To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the

primary and secondary VLANs.

•You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary

and secondary VLAN Layer 3 traffic.

•Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other

at Layer 3.

•Private VLANs support these Switched Port Analyzer (SPAN) features:

–

You can configure a private-VLAN port as a SPAN source port.

–

You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use

SPAN on only one VLAN to separately monitor egress or ingress traffic.

Private-VLAN Port Configuration

Follow these guidelines when configuring private-VLAN ports:

•Use only the private-VLAN configuration commands to assign ports to prima ry, isolated, or

community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,

isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN

configuration. Layer 2 trunk interfaces remain in the STP forwarding state.

•Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While

a port is part of the private-VLAN configuration, any EtherChannel configu ratio n f or it is in act ive.

•Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loop s due

to misconfigurations and to speed up STP convergence (see Chapter 19, “Configuring Optional

Spanning-Tree Features”). When enabled, STP applies th e BP D U gu ar d f ea tur e to a l l P or t

Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.

•If you delete a VLAN used in the private-VLAN configuration, the private-VLAN por ts associated

with the VLAN become inactive.

•Private-VLAN ports can be on different network devices if the devices are trunk-connected and the

primary and secondary VLANs have not been removed from the trunk.