12-7
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter12 Configuring Private VLANs Configuring Private VLANs
Secondary and Primary VLAN Configuration
Follow these guidelines when configuring private VLANs:
You use VLAN configuration mode to configure private VLANs. For more information about VLAN
configuration, see the “Creating and Modifying VLANs” section on page 11-6.
You must configure private VLANs on each device where you want private-VLAN ports.
A private VLAN cannot be a UNI VLAN.
To change a UNI isolated VLAN (the default) to a pri v ate VLAN, en ter the private-vlan VLAN
configuration command; this overwrites the default isolated VLAN con figurat ion.
To change a UNI community VLAN to a private VLAN, you must first enter the no uni-vlan
VLAN configuration command to return to the default UNI isolated VLAN configuration.
You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended
VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs
A primary VLAN can have one isolated VLAN and multiple community VLANs associa ted with it.
An isolated or community VLAN can have only one primary VLAN associated with it.
Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (S TP)
instance runs for the entire private VLAN. When a secondary VL AN is associated with the primary
VLAN, the STP parameters of the primary VLAN are propagated to the se conda ry V LAN .
You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the
primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary
VLAN, the configuration does not take effect if the primary VLAN is al rea dy configur ed .
If the switch is running the metro access or metro IP access image and you enable IP source guard on
private-VLAN ports, you must enable DHCP snooping on the primary VLAN.
You can apply different quality of service (QoS) co nfig urations to prim ary , is olated, and co mmunity
VLANs.
When the switch is running the metro IP access image and you co nfigure private VLANs, sticky
Address Resolution Protocol (ARP) is enabled by default, and ARP entries learned on Layer 3
private VLAN interfaces are sticky ARP entries. For security reasons, private VLAN port sticky
ARP entries do not age out.
Note We recommend that you display and verify private-VLAN interface ARP en tri es.
Connecting a device with a different MAC address but with the same IP address displays a message,
and the ARP entry is not created. Because the private-VLAN port sticky ARP entries do not age out,
you must manually remove private-VLAN port ARP entries if a MAC address changes.
You can remove a private-VLAN ARP entry by using the no arp ip-address global configurati on
command.
You can add a private-VLAN ARP entry by using the arp ip-address ha rdware-add ress type
global configuration command.
You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN
Maps” section on page 28-29). However, we recommend that you configure the same VLAN maps
on private-VLAN primary and secondary VLANs.