[c-nsp] private vlan ports

Hitesh Vinzoda vinzoda.hitesh at gmail.com
Sat Dec 15 02:19:15 EST 2012


This could be helpful. its excerpt from Cisco's website..

Follow these guidelines when configuring PVLANs:

•To configure a PVLAN correctly, enable VTP in transparent mode.

•Do not include VLAN 1 or VLANs 1002 through 1005 in PVLANs.

•Use only PVLAN commands to assign ports to primary, isolated, or community
VLANs.

Layer 2 interfaces on primary, isolated, or community VLANs are inactive in
PVLANs. Layer 2 trunk interfaces remain in the STP forwarding state.

•You cannot configure Layer 3 VLAN interfaces for secondary VLANs.

Layer 3 VLAN interfaces for isolated and community (secondary) VLANs are
inactive while the VLAN is configured as an isolated or community VLAN.

•Do not configure PVLAN ports as EtherChannel.

EtherChannel ports in PVLANs are inactive.

•Do not configure private VLAN ports as EtherChannels. While a port is part
of the private VLAN configuration, its associated EtherChannel
configuration is inactive.

•Do not apply dynamic access control entries (ACEs) to primary VLANs.

Cisco IOS dynamic ACL configuration applied to a primary VLAN is inactive
while the VLAN is part of the PVLAN configuration.

•To prevent spanning tree loops due to misconfigurations, enable PortFast
on the PVLAN trunk ports with the *spanning-tree portfast trunk* command.

•Any VLAN ACL configured on a secondary VLAN is effective in the input
direction, and any VLAN ACL configured on the primary VLAN associated with
the secondary VLAN is effective in the output direction.

•You can stop Layer 3 switching on an isolated or community VLAN by
deleting the mapping of that VLAN with its primary VLAN.

•PVLAN ports can be on different network devices as long as the devices are
trunk-connected and the primary and secondary VLANs remain associated with
the trunk.

•Isolated ports on two different devices cannot communicate with each
other, but community VLAN ports can.

•Private VLANs support the following SPAN features:

–You can configure a private VLAN port as a SPAN source port.

–You can use VLAN-based SPAN (VSPAN) on primary, isolated, and community
VLANs or use SPAN on only one VLAN to monitor egress or ingress traffic
separately.

For more information about SPAN, see Chapter 37, "Configuring SPAN and
RSPAN."<http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/span.html#wpxref25516>

•A primary VLAN can be associated with multiple community VLANs, but only
one isolated VLAN.

•An isolated or community VLAN can be associated with only one primary VLAN.

•If you delete a VLAN used in a private VLAN configuration, the private
VLAN ports associated with the VLAN become inactive.

•VTP does not support private VLANs. You must configure private VLANs on
each device in which you plan to use private VLAN ports.

•To maintain the security of your PVLAN configuration and avoid other use
of VLANs configured as PVLANs, configure PVLANs on all intermediate
devices, even if the devices have no PVLAN ports.

•Prune the PVLANs from trunks on devices that carry no traffic in the
PVLANs.

•With port ACLS functionality available, you can apply Cisco IOS ACLS to
secondary VLAN ports and Cisco IOS ACLS to PVLANS (VACLs). For more
information on VACLs, see Chapter 32, "Configuring Network Security with
ACLs."<http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/secure.html#wpxref26976>

•You can apply different quality of service (QoS) configurations to
primary, isolated, and community VLANs. (See Chapter 26, "Configuring
QoS."<http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/qos.html#wpxref73710>)
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a primary VLAN
automatically apply to the associated isolated and community VLANs.

•On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic
and a primary VLAN ACL is applied on egress traffic.

•On a promiscuous port the primary VLAN ACL is applied on ingress traffic.

•PVLAN trunk ports support only IEEE 802.1q encapsulation.

•You cannot change the VTP mode to client or server for PVLANs.

•An isolated or community VLAN can have only one primary VLAN associated
with it.

•VTP does not support PVLANs. You must configure PVLANs on each device
where you want PVLAN ports.

•Community VLANs cannot be propagated or carried over private VLAN trunks.


Thanks

Hitesh


On Thu, Dec 13, 2012 at 7:29 PM, Christian Bösch <boesch at fhv.at> wrote:

> Hi,
>
> Two questions regarding Cisco private vlan ports:
>
> _I have a switch with a couple of vlans which are carried over 2 trunk
> ports bundled
> to an etherchannel to the upper router where they are routed with L3 vlan
> interfaces.
> On the switch I want some isolated private vlan ports, but I cannot set a
> promicious port because
> it is an etherchannel. Is there a workaround how to solve this or is this
> setup impossible?
>
> _I think private ports are working with an ingress ACL in the background?
> So what about
> IPv6 if the switch does not support IPv6 ACLs. Does that mean that private
> vlan isolation ports
> do only work for IPv4?
>
> Thanks in advance,
> Christian
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list