Cisco Systems WSC2960XR48FPSI Manual De Usuario
For more information about using the ip sticky-arp global configuration and the ip sticky-arp
interface configuration commands, see the command reference for this release.
interface configuration commands, see the command reference for this release.
• You can configure VLAN maps on primary and secondary VLANs. However, we recommend that you
configure the same VLAN maps on private-VLAN primary and secondary VLANs.
• When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private-VLAN map is applied at the ingress side.
port, the private-VLAN map is applied at the ingress side.
◦For frames going upstream from a host port to a promiscuous port, the VLAN map configured on
the secondary VLAN is applied.
◦For frames going downstream from a promiscuous port to a host port, the VLAN map configured
on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
primary and secondary VLANs.
• You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary and
secondary VLAN Layer 3 traffic.
• Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at
Layer 3.
• Private VLANs support these Switched Port Analyzer (SPAN) features:
◦You can configure a private-VLAN port as a SPAN source port.
◦You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Private VLAN Port Configuration
Follow these guidelines when configuring private VLAN ports:
• Use only the private VLAN configuration commands to assign ports to primary, isolated, or community
VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary, isolated, or
community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2
trunk interfaces remain in the STP forwarding state.
community VLANs are inactive while the VLAN is part of the private VLAN configuration. Layer 2
trunk interfaces remain in the STP forwarding state.
• Do not configure ports that belong to a PAgP or LACP EtherChannel as private VLAN ports. While a
port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive.
• Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due to
misconfigurations and to speed up STP convergence. When enabled, STP applies the BPDU guard
feature to all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on
promiscuous ports.
feature to all Port Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on
promiscuous ports.
• If you delete a VLAN used in the private VLAN configuration, the private VLAN ports associated with
the VLAN become inactive.
• Private VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
Catalyst 2960-XR Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX1
OL-29440-01
85
Configuring Private VLANs
Private VLAN Port Configuration