Cisco Systems 3560X Manual De Usuario
18-4
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 18 Configuring Private VLANs
Understanding Private VLANs
Private VLANs across Multiple Switches
As with regular VLANs, private VLANs can span multiple switches. A trunk port carries the primary
VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any
other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port
in switch A does not reach an isolated port on Switch B. See
VLAN and secondary VLANs to a neighboring switch. The trunk port treats the private VLAN as any
other VLAN. A feature of private VLANs across multiple switches is that traffic from an isolated port
in switch A does not reach an isolated port on Switch B. See
.
Figure 18-2
Private VLANs across Switches
Because VTP does not support private VLANs, you must manually configure private VLANs on all
switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association
in some switches in the network, the Layer 2 databases in these switches are not merged. This can result
in unnecessary flooding of private-VLAN traffic on those switches.
switches in the Layer 2 network. If you do not configure the primary and secondary VLAN association
in some switches in the network, the Layer 2 databases in these switches are not merged. This can result
in unnecessary flooding of private-VLAN traffic on those switches.
Note
When configuring private VLANs on the switch, always use the default Switch Database Management
(SDM) template to balance system resources between unicast routes and Layer 2 entries. If another SDM
template is configured, use the sdm prefer default global configuration command to set the default
template. See
(SDM) template to balance system resources between unicast routes and Layer 2 entries. If another SDM
template is configured, use the sdm prefer default global configuration command to set the default
template. See
Private-VLAN Interaction with Other Features
Private VLANs have specific interaction with some other features, described in these sections:
•
•
•
You should also see the
under the
Private VLANs and Unicast, Broadcast, and Multicast Traffic
In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but
devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private
VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to
secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the
these VLANs can communicate with each other at the Layer 2 level.
devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In private
VLANs, the promiscuous ports are members of the primary VLAN, while the host ports belong to
secondary VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the
these VLANs can communicate with each other at the Layer 2 level.
In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast
forwarding depends on the port sending the broadcast:
forwarding depends on the port sending the broadcast:
•
An isolated port sends a broadcast only to the promiscuous ports or trunk ports.
•
A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same
community VLAN.
community VLAN.
•
A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports,
trunk ports, isolated ports, and community ports).
trunk ports, isolated ports, and community ports).
Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community
VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in
different secondary VLANs.
VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in
different secondary VLANs.