Cisco WS-C4003 Software Guide - Page 172
Creating a Private VLAN
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 172 highlights
Configuring Private VLANs Chapter 10 Configuring VLANs • In networks with some switches using MAC address reduction, and others not using MAC address reduction, STP parameters do not necessarily propagate to ensure that the spanning tree topologies match. You should manually double check the STP configuration to ensure that the primary, isolated, and community VLANs spanning tree topologies match. • If you enable MAC address reduction on a Catalyst 4000 series switch, you might want to enable MAC address reduction on all the switches in your network to ensure that the STP topologies of the private VLANs match. Otherwise, in a network where private VLANs are configured, if you enable MAC address reduction on some switches and disable it on others (mixed environment), you will have to use the default bridge priorities to make sure that the root bridge is common to the primary VLAN and to all its associated isolated and community VLANs. Be consistent with the ranges employed by the MAC address reduction feature regardless of whether it is enabled on the system. MAC address reduction allows only discrete levels, and uses all intermediate values internally as a range. You should disable a root bridge with private VLANs and MAC address reduction, and configure the root bridge with any priority higher than the highest priority range used by any non-root bridge. • BPDU guard mode is system wide and is enabled once the first port is added to a private VLAN. • You cannot configure a destination SPAN port as a private VLAN port and vice versa. • A source SPAN port can belong to a private VLAN. • You can use VLAN-based SPAN (VSPAN) to span primary, isolated, and community VLANs together, or use SPAN on only one VLAN to separately monitor egress or ingress traffic. • IGMP snooping and multicast shortcuts are not supported in private VLANs. • You cannot enable EtherChannel on isolated, community, or promiscuous ports. • You cannot set a VLAN to a private VLAN if the VLAN has dynamic access control entries (ACEs) configured on it. • You can stop Layer 3 switching on an isolated or community VLAN by destroying the binding of that VLAN with its primary VLAN. Deleting the corresponding mapping is not sufficient. Creating a Private VLAN To create a private VLAN, perform these tasks in privileged mode: Step 1 Step 2 Step 3 Step 4 Step 5 Task Create the primary VLAN. Set the isolated or community VLAN(s). Bind the isolated or community VLAN(s) to the primary VLAN and associate the isolated or community port(s) to the private VLAN. Map the isolated/community VLAN to the primary VLAN on the promiscuous port. Verify the private VLAN configuration. Command set vlan vlan_num pvlan-type primary set vlan vlan_num pvlan-type {isolated | community} set pvlan primary_vlan_num {isolated_vlan_num | community_vlan_num}mod/ports set pvlan mapping primary_vlan_num {isolated_vlan_num | community_vlan_num} mod/ports show pvlan [vlan_num] show pvlan mapping 10-10 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02