Limitations With Other Features - Cisco 3750G - Catalyst Integrated Wireless LAN Controller Configuration Manual

Chapter 16 Configuring Private VLANs
•
•
•
•

Limitations with Other Features

When configuring private VLANs, remember these limitations with other features:
In some cases, the configuration is accepted with no error messages, but the commands have no effect.
Note
•
•
•
•
•
•
•
•
OL-8550-02
Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While
a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.
Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due
to misconfigurations and to speed up STP convergence (see
Spanning-Tree Features"). When enabled, STP applies the BPDU guard feature to all Port
Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
If you delete a VLAN used in the private-VLAN configuration, the private-VLAN ports associated
with the VLAN become inactive.
Private-VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
Do not configure fallback bridging on switches with private VLANs.
When IGMP snooping is enabled on the switch (the default), the switch stack supports no more than
20 private-VLAN domains.
Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN.
For more information about SPAN, see
Do not configure private-VLAN ports on interfaces configured for these other features:
dynamic-access port VLAN membership
–
Dynamic Trunking Protocol (DTP)
–
– Port Aggregation Protocol (PAgP)
– Link Aggregation Control Protocol (LACP)
Multicast VLAN Registration (MVR)
–
voice VLAN
–
A private-VLAN port cannot be a secure port and should not be configured as a protected port.
You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not
configure 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports.
A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a
SPAN destination port as a private-VLAN port, the port becomes inactive.
If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
Chapter 20, "Configuring Optional
Chapter 28, "Configuring SPAN and RSPAN."
Catalyst 3750 Switch Software Configuration Guide
Configuring Private VLANs
16-9