Cisco 7609 Configuration Manual page 147

Chapter 10 Configuring Private VLANs
• Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN
configuration, any EtherChannel configuration for it is inactive.
• Destination SPAN configuration supersedes private VLAN configuration. While a port is a
destination SPAN port, any private VLAN configuration for it is inactive.
• Private VLANs support the following SPAN features:
–
–
For more information about SPAN, see
• A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
An isolated or community VLAN can have only one primary VLAN associated with it.
•
Enable PortFast and BPDU guard on isolated and community ports to prevent STP loops due to
•
misconfigurations and to speed up STP convergence (see
Features"). When enabled, STP applies the BPDU guard feature to all PortFast-configured Layer 2
LAN ports.
• If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated
with the VLAN become inactive.
• For Ethernet 10 Mb, 10/100 Mb, and 100 Mb modules, within groups of 12 ports (1–12, 13–24,
25–36, and 37–48), do not configure ports as isolated or community VLAN ports when one port
within the 12 ports is a trunk or a SPAN destination or a promiscuous private VLAN port. While one
port within the 12 ports is a trunk or a SPAN destination or a promiscuous private VLAN port, any
isolated or community VLAN configuration for other ports within the 12 ports is inactive. To
reactivate the ports, remove the isolated or community VLAN port configuration and enter
shutdown and no shutdown commands.
Private VLAN ports can be on different network devices as long as the devices are trunk connected
•
and the primary and secondary VLANs have not been removed from the trunk.
VTP does not support private VLANs. You must configure private VLANs on each device where
•
you want private VLAN ports.
• To maintain the security of your private VLAN configuration and avoid other use of the VLANs
configured as private VLANs, configure private VLANs on all intermediate devices, including
devices that have no private VLAN ports.
• We recommend that you prune the private VLANs from the trunks on devices that carry no traffic
in the private VLANs.
• In networks with some devices using MAC address reduction, and others not using MAC address
reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies
match. You should manually check the STP configuration to ensure that the primary, isolated, and
community VLANs' spanning tree topologies match.
If you enable MAC address reduction on the router, we recommend that you enable MAC address
•
reduction on all the devices in your network to ensure that the STP topologies of the private VLANs
match.
In a network where private VLANs are configured, if you enable MAC address reduction on some
•
devices and disable it on others (mixed environment), use the default bridge priorities to make sure
that the root bridge is common to the primary VLAN and to all its associated isolated and
community VLANs. Be consistent with the ranges employed by the MAC address reduction feature
regardless of whether it is enabled on the system. MAC address reduction allows only discrete levels
78-14064-04
You can configure a private VLAN port as a SPAN source port.
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs, or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E
Private VLAN Configuration Guidelines
Chapter 34, "Configuring Local SPAN and RSPAN."
Chapter 16, "Configuring Optional STP
10-3