user manual

ManualsBrandsCisco Systems ManualsNetwork RouterNetwork Router OL-8550-09

471

472

473

474

475

476

477

478

479

480

16-10

Catalyst 3750 Switch Software Configuration Guide

OL-8550-09

Chapter 16 Configuring Private VLANs

Configuring Private VLANs

• A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a

SPAN destination port as a private-VLAN port, the port becomes inactive.

• If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add

the same static address to all associated secondary VLANs. If you configure a static MAC address

on a host port in a secondary VLAN, you must add the same static MAC address to the associated

primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove

all instances of the configured MAC address from the private VLAN.

Note Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the

associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated

in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the

replicated addresses are removed from the MAC address table.

• Configure Layer 3 VLAN interfaces only for primary VLANs.

Configuring and Associating VLANs in a Private VLAN

Beginning in privileged EXEC mode, follow these steps to configure a private VLAN:

Note The private-vlan commands do not take effect until you exit VLAN configuration mode.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

vtp mode transparent Set VTP mode to transparent (disable VTP).

Step 3

vlan vlan-id Enter VLAN configuration mode and designate or create a VLAN that

will be the primary VLAN. The VLAN ID range is 2 to 1001 and 1006

to 4094.

Step 4

private-vlan primary Designate the VLAN as the primary VLAN.

Step 5

exit Return to global configuration mode.

Step 6

vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a

VLAN that will be an isolated VLAN. The VLAN ID range is 2 to 1001

and 1006 to 4094.

Step 7

private-vlan isolated Designate the VLAN as an isolated VLAN.

Step 8

exit Return to global configuration mode.

Step 9

vlan vlan-id (Optional) Enter VLAN configuration mode and designate or create a

VLAN that will be a community VLAN. The VLAN ID range is 2 to

1001 and 1006 to 4094.

Step 10

private-vlan community Designate the VLAN as a community VLAN.

Step 11

exit Return to global configuration mode.

Step 12

vlan vlan-id Enter VLAN configuration mode for the primary VLAN designated in

Step 2.

Step 13

private-vlan association [add | remove]

secondary_vlan_list

Associate the secondary VLANs with the primary VLAN.