user manual
Restrictions for Private VLANs
The following are restrictions for configuring private VLANs:
•
Private VLANs are only supported on switches running the IP Lite image.
Limitations with Other Features
When configuring private VLANs, remember these limitations with other features:
In some cases, the configuration is accepted with no error messages, but the commands have no effect.Note
•
Do not configure fallback bridging on switches with private VLANs.
•
When IGMP snooping is enabled on the switch (the default), the switch or switch stack supports no
more than 20 private VLAN domains.
•
Do not configure a remote SPAN (RSPAN) VLAN as a private VLAN primary or secondary VLAN.
•
Do not configure private VLAN ports on interfaces configured for these other features:
◦
Dynamic-access port VLAN membership
◦
Dynamic Trunking Protocol (DTP)
◦
Port Aggregation Protocol (PAgP)
◦
Link Aggregation Control Protocol (LACP)
◦
Multicast VLAN Registration (MVR)
◦
Voice VLAN
◦
Web Cache Communication Protocol (WCCP)
•
You can configure IEEE 802.1x port-based authentication on a private VLAN port, but do not configure
802.1x with port security, voice VLAN, or per-user ACL on private VLAN ports.
•
A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a SPAN
destination port as a private VLAN port, the port becomes inactive.
•
If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add the
same static address to all associated secondary VLANs. If you configure a static MAC address on a host
port in a secondary VLAN, you must add the same static MAC address to the associated primary VLAN.
When you delete a static MAC address from a private VLAN port, you must remove all instances of the
configured MAC address from the private VLAN.
Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1
86 OL-29440-01
Configuring Private VLANs
Restrictions for Private VLANs