Cisco WS-C6506 Software Manual page 294

Configuring Private VLANs on the Switch
In the networks with some switches using MAC address reduction, and others not using MAC
•
address reduction, the STP parameters do not necessarily propagate to ensure that the spanning-tree
topologies match. You should manually check the STP configuration to ensure that the primary,
isolated, and community VLANs' spanning-tree topologies match.
• If you enable MAC address reduction on a Catalyst 6500 series switch, you might want to enable
MAC address reduction on all the switches in your network to ensure that the STP topologies of the
private VLANs match. Otherwise, in a network where private VLANs are configured, if you enable
MAC address reduction on some switches and disable it on others (mixed environment), you will
have to use the default bridge priorities to make sure that the root bridge is common to the primary
VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges that
are employed by the MAC address reduction feature regardless of whether it is enabled on the
system. MAC address reduction allows only discrete levels and uses all intermediate values
internally as a range. You should disable a root bridge with private VLANs and MAC address
reduction, and configure the root bridge with any priority higher than the highest priority range that
is used by any nonroot bridge.
BPDU guard mode is system wide and is enabled after you add the first port to a private VLAN.
•
You cannot configure a destination SPAN port as a private VLAN port and vice versa.
•
A source SPAN port can belong to a private VLAN.
•
• You can use VLAN-based SPAN (VSPAN) to span the primary, isolated, and community VLANs
together, or use SPAN on only one VLAN to separately monitor the egress or ingress traffic.
You cannot use a remote SPAN VLAN (RSPAN) for a private VLAN.
•
You cannot enable EtherChannel on the isolated, community, or promiscuous ports.
•
• You can apply the different VACLs and the quality of service (QoS) ACLs to the primary, isolated,
and community VLANs.
Note
You need to configure the output ACLs on both the two-way community VLANs and the primary
•
VLAN in order to be applied to all outgoing traffic from the MSFC.
• If you map a Cisco IOS ACL to a primary VLAN, the Cisco IOS ACL automatically maps to the
associated isolated and community VLANs.
You cannot map the Cisco IOS ACLs to an isolated or community VLAN.
•
You cannot use policy-based routing (PBR) on a private VLAN interface. You get an error message
•
if you try to apply a policy to a private VLAN interface using the ip policy route-map
route_map_name command.
You cannot set a VLAN to a private VLAN if the VLAN has the dynamic access control entries
•
(ACEs) configured.
• You can stop the Layer 3 switching on an isolated or community VLAN by destroying the binding
of that VLAN with its primary VLAN. Deleting the corresponding mapping is not sufficient.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
11-24
For information on configuring the ACLs, see the
section on page 15-43.
Chapter 11 Configuring VLANs
"Configuring ACLs on Private VLANs"
OL-8978-04