12-7
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 12 Configuring Private VLANs
Configuring Private VLANs
Secondary and Primary VLAN Configuration
Follow these guidelines when configuring private VLANs:
• You use VLAN configuration mode to configure private VLANs. For more information about VLAN
configuration, see the
“Creating and Modifying VLANs” section on page 11-7.
• You must configure private VLANs on each device where you want private-VLAN ports.
• A private VLAN cannot be a UNI-ENI VLAN.
–
To change a UNI-ENI isolated VLAN (the default) to a private VLAN, enter the private-vlan
VLAN configuration command; this overwrites the default isolated VLAN configuration.
–
To change a UNI-ENI community VLAN to a private VLAN, you must first enter the no
uni-vlan VLAN configuration command to return to the default UNI isolated VLAN
configuration.
• You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended
VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs
• A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
An isolated or community VLAN can have only one primary VLAN associated with it.
• Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (STP)
instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary
VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
• You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the
primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary
VLAN, the configuration does not take effect if the primary VLAN is already configured.
• If the switch is running the metro access or metro IP access image and you enable IP source guard
on private-VLAN ports, you must enable DHCP snooping on the primary VLAN.
• You can apply different quality of service (QoS) configurations to primary, isolated, and community
VLANs.
• When the switch is running the metro IP access image and you configure private VLANs, sticky
Address Resolution Protocol (ARP) is enabled by default, and ARP entries learned on Layer 3
private VLAN interfaces are sticky ARP entries. For security reasons, private VLAN port sticky
ARP entries do not age out.
Note We recommend that you display and verify private-VLAN interface ARP entries.
Connecting a device with a different MAC address but with the same IP address displays a message
and the ARP entry is not created. Because the private-VLAN port sticky ARP entries do not age out,
you must manually remove private-VLAN port ARP entries if a MAC address changes.
–
You can remove a private-VLAN ARP entry by using the no arp ip-address global configuration
command.
–
You can add a private-VLAN ARP entry by using the arp ip-address hardware-address type
global configuration command.
• You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN
Maps” section on page 31-28). However, we recommend that you configure the same VLAN maps
on private-VLAN primary and secondary VLANs.
