Cisco 6500 Series Software Configuration Manual page 146

Private VLAN Configuration Restrictions and Guidelines
VTP does not support private VLANs. You must configure private VLANs on each device where
•
you want private VLAN ports.
• To maintain the security of your private VLAN configuration and avoid other use of the VLANs
configured as private VLANs, configure private VLANs on all intermediate devices, including
devices that have no private VLAN ports.
We recommend that you prune the private VLANs from the trunks on devices that carry no traffic
•
in the private VLANs.
In networks with some devices using MAC address reduction, and others not using MAC address
•
reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies
match. You should manually check the STP configuration to ensure that the primary, isolated, and
community VLANs' spanning tree topologies match.
If you enable MAC address reduction on the switch, we recommend that you enable MAC address
•
reduction on all the devices in your network to ensure that the STP topologies of the private VLANs
match.
• In a network where private VLANs are configured, if you enable MAC address reduction on some
devices and disable it on others (mixed environment), use the default bridge priorities to make sure
that the root bridge is common to the primary VLAN and to all its associated isolated and
community VLANs. Be consistent with the ranges employed by the MAC address reduction feature
regardless of whether it is enabled on the system. MAC address reduction allows only discrete levels
and uses all intermediate values internally as a range. You should disable a root bridge with private
VLANs and MAC address reduction, and configure the root bridge with any priority higher than the
highest priority range used by any nonroot bridge.
You can apply different quality of service (QoS) configuration to primary, isolated, and community
•
VLANs (see
You cannot apply VACLs to secondary VLANs (see the
•
page
To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the Layer
•
3 VLAN interface of the primary VLAN (see
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to
•
the associated isolated and community VLANs.
Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration
•
applied to isolated and community VLANs is inactive while the VLANs are part of the private
VLAN configuration.
• Do not apply dynamic access control entries (ACEs) to primary VLANs. Cisco IOS dynamic ACL
configuration applied to a primary VLAN is inactive while the VLAN are part of the private VLAN
configuration.
ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries (we recommend
•
that you display and verify private VLAN interface ARP entries).
For security reasons, private VLAN port sticky ARP entries do not age out. Connecting a device with
•
a different MAC address but with the same IP address generates a message and the ARP entry is not
created.
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
10-4
Chapter 31, "Configuring PFC
23-8).
Chapter 10
QoS").
"Configuring VLAN ACLs" section on
Chapter 23, "Configuring Network
Configuring Private VLANs
Security").
78-14099-04