Cisco Systems 3560 사용자 설명서
14-9
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 14 Configuring Private VLANs
Configuring Private VLANs
•
Do not configure private-VLAN ports on interfaces configured for these other features:
–
dynamic-access port VLAN membership
–
Dynamic Trunking Protocol (DTP)
–
Port Aggregation Protocol (PAgP)
–
Link Aggregation Control Protocol (LACP)
–
Multicast VLAN Registration (MVR)
–
voice VLAN
–
Web Cache Communication Protocol (WCCP)
•
A private-VLAN port cannot be a secure port and should not be configured as a protected port.
•
You can configure IEEE 802.1x port-based authentication on a private-VLAN port, but do not
configure IEEE 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports.
configure IEEE 802.1x with port security, voice VLAN, or per-user ACL on private-VLAN ports.
•
A private-VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a
SPAN destination port as a private-VLAN port, the port becomes inactive.
SPAN destination port as a private-VLAN port, the port becomes inactive.
•
If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private-VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
Note
Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the
associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated
in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the
replicated addresses are removed from the MAC address table.
associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated
in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the
replicated addresses are removed from the MAC address table.
•
Configure Layer 3 VLAN interfaces only for primary VLANs.
Configuring and Associating VLANs in a Private VLAN
Beginning in privileged EXEC mode, follow these steps to configure a private VLAN:
Note
The private-vlan commands do not take effect until you exit VLAN configuration mode.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
vtp mode transparent
Set VTP mode to transparent (disable VTP).
Step 3
vlan vlan-id
Enter VLAN configuration mode and designate or create a VLAN that
will be the primary VLAN. The VLAN ID range is 2 to 1001 and 1006
to 4094.
will be the primary VLAN. The VLAN ID range is 2 to 1001 and 1006
to 4094.
Step 4
private-vlan primary
Designate the VLAN as the primary VLAN.
Step 5
exit
Return to global configuration mode.