14-7
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 14 Configuring Private VLANs
Configuring Private VLANs
• After you have configured private VLANs, use the copy running-config startup config privileged
EXEC command to save the VTP transparent mode configuration and private-VLAN configuration
in the switch startup configuration file. Otherwise, if the switch resets, it defaults to VTP server
mode, which does not support private VLANs.
• VTP does not propagate private-VLAN configuration. You must configure private VLANs on each
device where you want private-VLAN ports.
• You cannot configure VLAN 1 or VLANs 1002 to 1005 as primary or secondary VLANs. Extended
VLANs (VLAN IDs 1006 to 4094) can belong to private VLANs
• A primary VLAN can have one isolated VLAN and multiple community VLANs associated with it.
An isolated or community VLAN can have only one primary VLAN associated with it.
• Although a private VLAN contains more than one VLAN, only one Spanning Tree Protocol (STP)
instance runs for the entire private VLAN. When a secondary VLAN is associated with the primary
VLAN, the STP parameters of the primary VLAN are propagated to the secondary VLAN.
• You can enable DHCP snooping on private VLANs. When you enable DHCP snooping on the
primary VLAN, it is propagated to the secondary VLANs. If you configure DHCP on a secondary
VLAN, the configuration does not take effect if the primary VLAN is already configured.
• When you enable IP source guard on private-VLAN ports, you must enable DHCP snooping on the
primary VLAN.
• We recommend that you prune the private VLANs from the trunks on devices that carry no traffic
in the private VLANs.
• You can apply different quality of service (QoS) configurations to primary, isolated, and community
VLANs.
• Sticky ARP
–
Sticky ARP entries are those learned on SVIs and Layer 3 interfaces. They entries do not age
out.
–
The ip sticky-arp global configuration command is supported only on SVIs belonging to
private VLANs.
–
The ip sticky-arp interface configuration command is only supported on
Layer 3 interfaces
SVIs belonging to normal VLANs
SVIs belonging to private VLANs
For more information about using the ip sticky-arp global configuration and the ip sticky-arp
interface configuration commands, see the command reference for this release.
• You can configure VLAN maps on primary and secondary VLANs (see the “Configuring VLAN
Maps” section on page 33-29). However, we recommend that you configure the same VLAN maps
on private-VLAN primary and secondary VLANs.
• When a frame is Layer-2 forwarded within a private VLAN, the same VLAN map is applied at the
ingress side and at the egress side. When a frame is routed from inside a private VLAN to an external
port, the private-VLAN map is applied at the ingress side.
–
For frames going upstream from a host port to a promiscuous port, the VLAN map configured
on the secondary VLAN is applied.
–
For frames going downstream from a promiscuous port to a host port, the VLAN map
configured on the primary VLAN is applied.