Table of Contents
Advertisement
Chapter 10
Configuring VLANs
•
•
•
•
•
•
•
•
•
Creating a Private VLAN
You can bind isolated or community VLAN(s) to the primary VLAN without associating the isolated or
community ports to the private VLAN by using the set pvlan primary_vlan_num {isolated_vlan_num |
community_vlan_num} command.
You can change the isolated or community ports that are associated to the private VLAN without
changing the isolated or community VLANs binding by using the set pvlan primary_vlan_num
{isolated_vlan_num | community_vlan_num} mod/port command.
Ports do not have to be on the same switch as long as the switches are connected to the trunk and the
private VLAN has not been removed from the trunk.
You must enter the set pvlan command everywhere that a private VLAN needs to be created. This
requirement includes entering the command on switches with isolated or community ports, switches with
promiscuous ports, and all intermediate switches that need to carry private VLANs on their trunks. On
the edge switches that do not have any isolated, community, or promiscuous ports (typically, access
switches with no private ports), the private VLANs do not need to be created and can be pruned from
the trunks for security reasons.
78-15486-01
If you enable MAC address reduction on a Catalyst 4500 series switch, you might want to enable
MAC address reduction on all the switches in your network to ensure that the STP topologies of the
private VLANs match. Otherwise, in a network where private VLANs are configured, if you enable
MAC address reduction on some switches and disable it on others (mixed environment), you will
have to use the default bridge priorities to make sure that the root bridge is common to the primary
VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges that
are employed by the MAC address reduction feature regardless of whether it is enabled on the
system. MAC address reduction allows only discrete levels, and it uses all intermediate values
internally as a range. You should disable a root bridge with private VLANs and MAC address
reduction, and configure the root bridge with any priority higher than the highest priority range that
is used by any nonroot bridge.
BPDU guard mode and UplinkFast affect the system and are automatically enabled once the first
port is added to a private VLAN.
You cannot configure a destination SPAN port as a private VLAN port, and vice versa.
A source SPAN port can belong to a private VLAN.
You can use VLAN-based SPAN (VSPAN) to span primary, isolated, and community VLANs
together, or use SPAN on only one VLAN to separately monitor egress or ingress traffic.
IGMP snooping and multicast shortcuts are not supported in private VLANs.
You cannot enable EtherChannel on isolated, community, or promiscuous ports.
You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries (ACEs)
that are configured on it.
You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of
that VLAN with its primary VLAN. Deleting the corresponding mapping is not sufficient.
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide
Configuring Private VLANs
—
Release 8.1
10-19
- Quick Links:
- Configuration Guide
- Catalyst 2980G Switch
Hide quick links:
Advertisement
Table of Contents
