15-8
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 15 Configuring Private VLANs
Private VLAN Configuration Guidelines and Restrictions
•
We recommend that you display and verify private VLAN interface ARP entries.
•
Sticky ARP prevents MAC address spoofing by ensuring that ARP entries (IP address, MAC
address, and source VLAN) do not age out. With Release 12.2(18)SXF and later releases, you can
configure sticky ARP on a per-interface basis. For information about configuring sticky ARP, see
the
“Configuring Sticky ARP” section on page 36-34
. The following guidelines and restrictions
apply to private VLAN sticky ARP:
–
ARP entries learned on Layer 3 private VLAN interfaces are sticky ARP entries.
–
Connecting a device with a different MAC address but with the same IP address generates a
message and the ARP entry is not created.
–
Because the private VLAN port sticky ARP entries do not age out, you must manually remove
private VLAN port ARP entries if a MAC address changes. You can add or remove private
VLAN ARP entries manually as follows:
Router(config)#
no arp 11.1.3.30
IP ARP:Deleting Sticky ARP entry 11.1.3.30
Router(config)#
arp 11.1.3.30 0000.5403.2356 arpa
IP ARP:Overwriting Sticky ARP entry 11.1.3.30, hw:00d0.bb09.266e by
hw:0000.5403.2356
•
You can configure VLAN maps on primary and secondary VLANs. (See the
“Applying a VLAN
Access Map” section on page 35-8
.) However, we recommend that you configure the same VLAN
maps on private VLAN primary and secondary VLANs.
•
When a frame is Layer 2 forwarded within a private VLAN, the same VLAN map is applied at the
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private VLAN map is applied at the ingress side.
–
For frames going upstream from a host port to a promiscuous port, the VLAN map configured
on the secondary VLAN is applied.
–
For frames going downstream from a promiscuous port to a host port, the VLAN map
configured on the primary VLAN is applied.
To filter out specific IP traffic for a private VLAN, you should apply the VLAN map to both the
primary and secondary VLANs.
•
To apply Cisco IOS output ACLs to all outgoing private VLAN traffic, configure them on the
Layer 3 VLAN interface of the primary VLAN. (See
Chapter 33, “Configuring Network Security”
.)
•
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN automatically apply to
the associated isolated and community VLANs.
•
Do not apply Cisco IOS ACLs to isolated or community VLANs. Cisco IOS ACL configuration
applied to isolated and community VLANs is inactive while the VLANs are part of the private
VLAN configuration.
•
Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3.
•
Private VLANs support these Switched Port Analyzer (SPAN) features:
–
You can configure a private VLAN port as a SPAN source port.
–
You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community VLANs or use
SPAN on only one VLAN to separately monitor egress or ingress traffic.
–
For more information about SPAN, see
Chapter 52, “Configuring Local SPAN, RSPAN, and
ERSPAN.”