Cisco Catalyst 4500 Series Software Configuration Manual page 1237

Chapter 47 Configuring Private VLANs
Do not include VLAN 1 or VLANs 1002 through 1005 in PVLANs.
•
Use only PVLAN commands to assign ports to primary, isolated, community VLANs, or
•
twoway-community VLANs.
Layer 2 interfaces on primary, isolated, community VLANs, or twoway-community VLANs are
inactive in PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state.
• You cannot configure Layer 3 VLAN interfaces for secondary VLANs.
Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are inactive while the
VLAN is configured as an isolated or community VLAN.
• Do not apply dynamic access control entries (ACEs) to primary VLANs.
Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive while the VLAN is
part of the PVLAN configuration.
• To prevent spanning tree loops due to misconfigurations, enable PortFast on the PVLAN trunk ports
with the spanning-tree portfast trunk command.
Any VLAN ACL configured on a secondary VLAN is effective in the input direction, and any VLAN
•
ACL configured on the primary VLAN associated with the secondary VLAN is effective in the
output direction. Exception case is given below.
On twoway-community host ports, secondary VLAN ACL and QoS are applied on egress unicast
•
routed traffic stemming from the integrated router port
You can stop Layer 3 switching on an isolated or community VLAN by deleting the mapping of that
•
VLAN with its primary VLAN.
PVLAN ports can be on different network devices as long as the devices are trunk-connected and
•
the primary and secondary VLANs remain associated with the trunk
Isolated ports on two different devices cannot communicate with each other, but community VLAN
•
ports can.
• PVLANs support the following SPAN features:
–
–
For more information about SPAN, see
• A primary VLAN can be associated with multiple community VLANs, or twoway-community
VLANs, but only one isolated VLAN.
• An isolated or community VLAN can be associated with only one primary VLAN.
• If you delete a VLAN used in a PVLAN configuration, the PVLAN ports associated with the VLAN
become inactive.
• VTP does not support PVLANs. You must configure PVLANs on each device in which you plan to
use PVLAN ports.
To maintain the security of your PVLAN configuration and avoid other use of VLANs configured
•
as PVLANs, configure PVLANs on all intermediate devices, even if the devices have no PVLAN
ports.
Prune the PVLANs from trunks on devices that carry no traffic in the PVLANs.
•
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
You can configure a PVLAN port as a SPAN source port.
To monitor egress or ingress traffic separately, you can use VLAN-based SPAN (VSPAN) on
primary, isolated, community VLANs, twoway-community VLANs, or use SPAN on only one
VLAN.
Chapter 66, "Configuring SPAN and RSPAN."
Configuring PVLANs
47-13