Cisco Systems 6500, EA6500

10-4

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E

78-14099-04

Chapter 10 Configuring Private VLANs

Private VLAN Configuration Restrictions and Guidelines

• VTP does not support private VLANs. You must configure private VLANs on each device where

you want private VLAN ports.

• To maintain the security of your private VLAN configuration and avoid other use of the VLANs

configured as private VLANs, configure private VLANs on all intermediate devices, including

devices that have no private VLAN ports.

• We recommend that you prune the private VLANs from the trunks on devices that carry no traffic

in the private VLANs.

• In networks with some devices using MAC address reduction, and others not using MAC address

reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies

match. You should manually check the STP configuration to ensure that the primary, isolated, and

community VLANs’ spanning tree topologies match.

• If you enable MAC address reduction on the switch, we recommend that you enable MAC address

reduction on all the devices in your network to ensure that the STP topologies of the private VLANs

match.

• In a network where private VLANs are configured, if you enable MAC address reduction on some

devices and disable it on others (mixed environment), use the default bridge priorities to make sure

that the root bridge is common to the primary VLAN and to all its associated isolated and

community VLANs. Be consistent with the ranges employed by the MAC address reduction feature

regardless of whether it is enabled on the system. MAC address reduction allows only discrete levels

and uses all intermediate values internally as a range. You should disable a root bridge with private

VLANs and MAC address reduction, and configure the root bridge with any priority higher than the

highest priority range used by any nonroot bridge.

• You can apply different quality of service (QoS) configuration to primary, isolated, and community

VLANs (see Chapter 31, “Configuring PFC QoS”).

• You cannot apply VACLs to secondary VLANs (see the “Configuring VLAN ACLs” section on

page 23-8).

• To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer

3 VLAN interface of the primary VLAN (see Chapter 23, “Configuring Network Security”).

• Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to

the associated isolated and community VLANs.

• Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration

applied to isolated and community VLANs is inactive while the VLANs are part of the private

VLAN configuration.

• Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL

configuration applied to a primary VLAN is inactive while the VLAN are part of the private VLAN

configuration.

• ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend

that you display and verify private VLAN interface ARP entries).

• For security reasons, private VLAN port sticky ARP entries do not age out. Connecting a device with

a different MAC address but with the same IP address generates a message and the ARP entry is not

created.