Cisco Systems 3560 사용자 설명서
14-8
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 14 Configuring Private VLANs
Configuring Private VLANs
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
primary and secondary VLANs.
•
You can apply router ACLs only on the primary-VLAN SVIs. The ACL is applied to both primary
and secondary VLAN Layer 3 traffic.
and secondary VLAN Layer 3 traffic.
•
Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3.
at Layer 3.
•
Private VLANs support these Switched Port Analyzer (SPAN) features:
–
You can configure a private-VLAN port as a SPAN source port.
–
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
SPAN on only one VLAN to separately monitor egress or ingress traffic.
Private-VLAN Port Configuration
Follow these guidelines when configuring private-VLAN ports:
•
Use only the private-VLAN configuration commands to assign ports to primary, isolated, or
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
community VLANs. Layer 2 access ports assigned to the VLANs that you configure as primary,
isolated, or community VLANs are inactive while the VLAN is part of the private-VLAN
configuration. Layer 2 trunk interfaces remain in the STP forwarding state.
•
Do not configure ports that belong to a PAgP or LACP EtherChannel as private-VLAN ports. While
a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.
a port is part of the private-VLAN configuration, any EtherChannel configuration for it is inactive.
•
Enable Port Fast and BPDU guard on isolated and community host ports to prevent STP loops due
to misconfigurations and to speed up STP convergence (see
to misconfigurations and to speed up STP convergence (see
). When enabled, STP applies the BPDU guard feature to all Port
Fast-configured Layer 2 LAN ports. Do not enable Port Fast and BPDU guard on promiscuous ports.
•
If you delete a VLAN used in the private-VLAN configuration, the private-VLAN ports associated
with the VLAN become inactive.
with the VLAN become inactive.
•
Private-VLAN ports can be on different network devices if the devices are trunk-connected and the
primary and secondary VLANs have not been removed from the trunk.
primary and secondary VLANs have not been removed from the trunk.
Limitations with Other Features
When configuring private VLANs, remember these limitations with other features:
Note
In some cases, the configuration is accepted with no error messages, but the commands have no effect.
•
Do not configure fallback bridging on switches with private VLANs.
•
When IGMP snooping is enabled on the switch (the default), the switch supports no more than 20
private-VLAN domains.
private-VLAN domains.
•
Do not configure a remote SPAN (RSPAN) VLAN as a private-VLAN primary or secondary VLAN.
For more information about SPAN, see