34-4
Software Configuration Guide—Release 12.2(25)SG
OL-76590-03
Chapter34 Configuring Private VLANs
How to Configure PVLANs
Use only PVLAN commands to assign ports to primary, isolated, or community VLANs.
Layer 2 interfaces on primary, isolated, or community VLANs are inactive in PVLANs. Layer 2
trunk interfaces remain in the STP forwarding state.
You cannot configure Layer 3 VLAN interfaces for secondary VLANs.
Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are inactive while the
VLAN is configured as an isolated or community VLAN.
Do not configure PVLAN ports as EtherChannel.
EtherChannel ports in PVLANs are inactive.
Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN
configuration, its associated EtherChannel configuration is inactive.
Do not apply dynamic access control entries (ACEs) to primary VLANs.
Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is
part of the PVLAN configuration.
To prevent spanning tree loops due to misconfigurations, enable PortFast on the PVLAN trunk ports
with the spanning-tree portfast trunk command.
Any VLAN ACL configured on a secondary VLAN is effective in the input direction, and any VLAN
ACL configured on the primary VLAN associated with the secondary VLAN is effective in the
output direction.
You can stop Layer3 switc hing on an isolated or community VLAN by deleting the mapping of that
VLAN with its primary VLAN.
PVLAN ports can be on different network devices as long as the devices are trunk-connected and
the primary and secondary VLANs remain associated with the trunk.
Isolated ports on two different devices cannot communicate with each other, but community VLAN
ports can.
Private VLANs support the following SPAN features:
You can configure a private VLAN port as a SPAN source port.
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to monitor egress or ingress traffic separately.
For more information about SPAN, see Chapter37, “Configuring SPAN and RSPAN.”
A primary VLAN can be associated with multiple community VLANs, but only one isolated VLAN.
An isolated or community VLAN can be associated with only one primary VLAN.
If you delete a VLAN used in a private VLAN configuration, the private VLAN ports associated
with the VLAN become inactive.
VTP does not support private VLANs. You must configure private VLANs on each device in which
you plan to use private VLAN ports.
To maintain the security of your PVLAN configuration and avoid other use of VLANs configured
as PVLANs, configure PVLANs on all intermediate devices, even if the devices have no PVLAN
ports.
Prune the PVLANs from trunks on devices that carry no traffic in the PV LANs.
With port ACLS functionality available, you can apply Cisco IOS ACLS to secondary VLAN ports
and Cisco IOS ACLS to PVLANS (VACLs). For more information on VACLs, see Chapter33,
“Configuring Network Security with ACLs.”