15-10
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 15 Configuring Private VLANs
Private VLAN Configuration Guidelines and Restrictions
•
Do not configure a remote SPAN (RSPAN) VLAN as a private VLAN primary or secondary VLAN.
For more information about SPAN, see
Chapter 52, “Configuring Local SPAN, RSPAN, and
ERSPAN.”
•
A private VLAN host or promiscuous port cannot be a SPAN destination port. If you configure a
SPAN destination port as a private VLAN port, the port becomes inactive.
•
A destination SPAN port should not be an isolated port. (However, a source SPAN port can be an
isolated port.) VSPAN could be configured to span both primary and secondary VLANs or,
alternatively, to span either one if the user is interested only in ingress or egress traffic.
•
When protocol filtering is enabled on a Supervisor Engine 1, all the required Local Target Logic
(LTL) buckets of a private VLAN port should be programmed with the appropriate secondary VLAN
indexes.
•
If using the shortcuts between different VLANs (if any of these VLANs is private) consider both
primary and isolated and community VLANs. The primary VLAN should be used both as the
destination and as the virtual source, because the secondary VLAN (the real source) is always
remapped to the primary VLAN in the Layer 2 FID table.
•
If you configure a static MAC address on a promiscuous port in the primary VLAN, you must add
the same static address to all associated secondary VLANs. If you configure a static MAC address
on a host port in a secondary VLAN, you must add the same static MAC address to the associated
primary VLAN. When you delete a static MAC address from a private VLAN port, you must remove
all instances of the configured MAC address from the private VLAN.
Note
Dynamic MAC addresses learned in one VLAN of a private VLAN are replicated in the
associated VLANs. For example, a MAC address learned in a secondary VLAN is replicated
in the primary VLAN. When the original dynamic MAC address is deleted or aged out, the
replicated addresses are removed from the MAC address table.
•
Do not configure private VLAN ports as EtherChannels. A port can be part of the private VLAN
configuration, but any EtherChannel configuration for the port is inactive.
•
These restrictions apply when you configure groups of 12 ports as secondary ports:
In all releases, the 12-port restriction applies to these 10 Mb, 10/100 Mb, and 100 Mb Ethernet
switching modules: WS-X6324-100FX, WS-X6348-RJ-45, WS-X6348-RJ-45V,
WS-X6348-RJ-21V, WS-X6248-RJ-45, WS-X6248A-TEL, WS-X6248-TEL, WS-X6148-RJ-45,
WS-X6148-RJ-45V, WS-X6148-45AF, WS-X6148-RJ-21, WS-X6148-RJ-21V, WS-X6148-21AF,
WS-X6024-10FL-MT.
In releases earlier than Release 12.2(17a)SX, the 12-port restriction applies to these Ethernet
switching modules: WS-X6548-RJ-45, WS-X6548-RJ-21, WS-X6524-100FX-MM.
In Release 12.2(17a)SX and later releases, the 12-port restriction does not apply to these Ethernet
switching modules: WS-X6548-RJ-45, WS-X6548-RJ-21, WS-X6524-100FX-MM (CSCea67876).
Within groups of 12 ports (1–12, 13–24, 25–36, and 37–48), do not configure ports as isolated ports
or community VLAN ports when one port within the group of 12 ports is any of these:
–
A trunk port
–
A SPAN destination port
–
A promiscuous private VLAN port
–
In releases where CSCsb44185 is resolved, a port that has been configured with the
switchport
mode dynamic auto
or
switchport mode dynamic desirable
command.