Filter
Top Products
16-8
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
OL-9775-02
Chapter 16 Configuring Private VLANs
Configuring Private VLANs
• We recommend that you prune the private VLANs from the trunks on devices that carry no traffic
in the private VLANs.
• You can apply different quality of service (QoS) configurations to primary, isolated, and community
VLANs.
• When you configure private VLANs, sticky Address Resolution Protocol (ARP) is enabled by
default, and ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries. For
security reasons, private VLAN port sticky ARP entries do not age out.
Note We recommend that you display and verify private-VLAN interface ARP entries.
Connecting a device with a different MAC address but with the same IP address generates a message
and the ARP entry is not created. Because the private-VLAN port sticky ARP entries do not age out,
you must manually remove private-VLAN port ARP entries if a MAC address changes.
–
You can remove a private-VLAN ARP entry by using the no arp ip-address global
configuration command.
–
You can add a private-VLAN ARP entry by using the arp ip-address hardware-address type
global configuration command.
• You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN
Maps” section on page 34-29). However, we recommend that you configure the same VLAN maps
on private-VLAN primary and secondary VLANs.
• When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private-VLAN map is applied at the ingress side.
–
For frames going upstream from a host port to a promiscuous port, the VLAN map configured
on the secondary VLAN is applied.
–
For frames going downstream from a promiscuous port to a host port, the VLAN map
configured on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
• You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary
and secondary VLAN Layer 3 traffic.
• Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3.
• Private VLANs support these Switched Port Analyzer (SPAN) features:
–
You can configure a private-VLAN port as a SPAN source port.
–
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
• Use only the private-VLAN configuration commands to assign ports to primary, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.