16-6
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter16 Configuring Private VLANs
Configuring Private VLANs

Private VLANs and Switch Stacks

Private VLANs can operate within the switch stack, and private-VLAN ports can reside on different
stack members. However, some changes to the switch stack can impact private-VLAN operation:
If a stack contains only one private-VLAN promiscuous port and the stack member that contains that
port is removed from the stack, host ports in that private VLAN lose connectivity outside the private
VLAN.
If a stack master stack that contains the only private-VLAN promiscuous port in the stack fails or
leaves the stack and a new stack master is elected, host ports in a private VLAN that had its
promiscuous port on the old stack master lose connectivity outside of the private VLAN.
If two stacks merge, private VLANs on the winning stack are not affected, but private-VLAN
configuration on the losing switch is lost when that switch reboots.
For more information about switch stacks, see Chapter5, “Managing Switch Stacks.”
Configuring Private VLANs
These sections contain this configuration information:
Tasks for Configuring Private VLANs, page16-6
Default Private-VLAN Configuration, page16-7
Private-VLAN Configuration Guidelines, page16-7
Configuring and Associating VLANs in a Private VLAN, page16-10
Configuring a Layer 2 Interface as a Private-VLAN Host Port, page16-12
Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port, page16-13
Mapping Secondary VLANs to a Primary VLAN Layer 3 VLAN Interface, page 16-14

Tasks for Configuring Private VLANs

To configure a private VLAN, follow these steps:
Step1 Set VTP mode to transparent.
Step2 Create the primary and secondary VLANs and associate them. See the “Configuring and Associating
VLANs in a Private VLAN” section on page 16-10.
Note If the VLAN is not created already, the private-VLAN configuration process creates it.
Step3 Configure interfaces to be isolated or community host ports, and assign VLAN membership to the host
port. See the “Configuring a Layer 2 Interface as a Private-VLAN Host Port” section on page16-12.
Step4 Configure interfaces as promiscuous ports, and map the promiscuous ports to the primary-secondary
VLAN pair. See the “Configuring a Layer 2 Interface as a Private-VLAN Promiscuous Port” section on
page 16-13.