Cisco 7604 Configuration Manual page 214

Private VLAN Configuration Guidelines and Restrictions
• We recommend that you display and verify private VLAN interface ARP entries.
Sticky ARP prevents MAC address spoofing by ensuring that ARP entries (IP address, MAC
•
address, and source VLAN) do not age out. With Release 12.2(18)SXF and later releases, you can
configure sticky ARP on a per-interface basis. For information about configuring sticky ARP, see
the
apply to private VLAN sticky ARP:
–
–
–
You can configure VLAN maps on primary and secondary VLANs. (See the
•
Access Map" section on page
maps on private VLAN primary and secondary VLANs.
When a frame is Layer 2 forwarded within a private VLAN, the same VLAN map is applied at the
•
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private VLAN map is applied at the ingress side.
–
–
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
• To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the
Layer 3 VLAN interface of the primary VLAN. (See
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to
•
the associated isolated and community VLANs.
Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration
•
applied to isolated and community VLANs is inactive while the VLANs are part of the private
VLAN configuration.
Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
•
at Layer 3.
Private VLANs support these Switched Port Analyzer (SPAN) features:
•
–
–
–
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
15-8
"Configuring Sticky ARP" section on page
ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries.
Connecting a device with a different MAC address but with the same IP address generates a
message and the ARP entry is not created.
Because the private VLAN port sticky ARP entries do not age out, you must manually remove
private VLAN port ARP entries if a MAC address changes. You can add or remove private
VLAN ARP entries manually as follows:
Router(config)# no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30
Router(config)# arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by
hw:0000.5403.2356
For frames going upstream from a host port to a promiscuous port, the VLAN map configured
on the secondary VLAN is applied.
For frames going downstream from a promiscuous port to a host port, the VLAN map
configured on the primary VLAN is applied.
You can configure a private VLAN port as a SPAN source port.
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
For more information about SPAN, see
ERSPAN."
36-34. The following guidelines and restrictions
35-8.) However, we recommend that you configure the same VLAN
Chapter 33, "Configuring Network
Chapter 52, "Configuring Local SPAN, RSPAN, and
Chapter 15 Configuring Private VLANs
"Applying a VLAN
Security".)
OL-4266-08