Table of Contents
Advertisement
Configuring Private VLANs
•
•
•
•
•
•
•
•
•
•
Creating a Private VLAN
To create a private VLAN, perform these tasks in privileged mode:
Task
Step 1
Create the primary VLAN.
Step 2
Set the isolated or community VLAN(s).
Step 3
Bind the isolated or community VLAN(s) to the
primary VLAN and associate the isolated or
community port(s) to the private VLAN.
Step 4
Map the isolated/community VLAN to the
primary VLAN on the promiscuous port.
Step 5
Verify the private VLAN configuration.
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
10-10
In networks with some switches using MAC address reduction, and others not using MAC address
reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies
match. You should manually double check the STP configuration to ensure that the primary, isolated,
and community VLANs spanning tree topologies match.
If you enable MAC address reduction on a Catalyst 4000 series switch, you might want to enable
MAC address reduction on all the switches in your network to ensure that the STP topologies of the
private VLANs match. Otherwise, in a network where private VLANs are configured, if you enable
MAC address reduction on some switches and disable it on others (mixed environment), you will
have to use the default bridge priorities to make sure that the root bridge is common to the primary
VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges
employed by the MAC address reduction feature regardless of whether it is enabled on the system.
MAC address reduction allows only discrete levels, and uses all intermediate values internally as a
range. You should disable a root bridge with private VLANs and MAC address reduction, and
configure the root bridge with any priority higher than the highest priority range used by any
non-root bridge.
BPDU guard mode is system wide and is enabled once the first port is added to a private VLAN.
You cannot configure a destination SPAN port as a private VLAN port and vice versa.
A source SPAN port can belong to a private VLAN.
You can use VLAN-based SPAN (VSPAN) to span primary, isolated, and community VLANs
together, or use SPAN on only one VLAN to separately monitor egress or ingress traffic.
IGMP snooping and multicast shortcuts are not supported in private VLANs.
You cannot enable EtherChannel on isolated, community, or promiscuous ports.
You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries (ACEs)
configured on it.
You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of
that VLAN with its primary VLAN. Deleting the corresponding mapping is not sufficient.
Chapter 10
Command
set vlan vlan_num pvlan-type primary
set vlan vlan_num pvlan-type {isolated |
community}
set pvlan primary_vlan_num
{isolated_vlan_num |
community_vlan_num}mod/ports
set pvlan mapping primary_vlan_num
{isolated_vlan_num | community_vlan_num}
mod/ports
show pvlan [vlan_num]
show pvlan mapping
Configuring VLANs
78-12647-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
