hit counter script

Cisco Catalyst 4500 Series Configuration Manual page 938

Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs Also See for Catalyst 4500 Series:
Table of Contents

Advertisement

Configuring PVLANs
With port ACLS functionality available, you can apply Cisco IOS ACLS to secondary VLAN ports
and Cisco IOS ACLS to PVLANS (VACLs). For more information on VACLs, see
"Configuring Network Security with ACLs."
You can apply different quality of service (QoS) configurations to primary, isolated, community
VLANs, and twoway-community VLANs. See
Supervisor Engine 6-E and 6L-E."
primary VLAN automatically apply to the associated isolated, community VLANs, and
twoway-community VLANs.
On a PVLAN trunk port a secondary VLAN ACL is applied on ingress traffic and a primary VLAN
ACL is applied on egress traffic.
On a promiscuous port the primary VLAN ACL is applied on ingress traffic.
Both PVLAN secondary and promiscuous trunk ports support only IEEE 802.1q encapsulation.
Community VLANs cannot be propagated or carried over PVLAN trunks.
ARP entries learned on Layer 3 PVLAN interfaces are termed "sticky" ARP entries (we recommend
that you display and verify PVLAN interface ARP entries).
For security reasons, PVLAN port sticky ARP entries do not age out. Connecting a device with a
different MAC address but with the same IP address generates an error message and the ARP entry
is not created.
Because PVLAN port sticky ARP entries do not age out, you must manually remove the entries if
you change the MAC address. To overwrite a sticky ARP entry, first delete the entry with the no arp
command, then overwrite the entry with the arp command.
In a DHCP environment, if you shut down your PC, it is not possible to give your IP address to
someone else. To solve this problem, the Catalyst 4500 series switch supports the no ip sticky-arp
command. This command promotes IP address overwriting and reuse in a DHCP environment.
Normal VLANs can be carried on a promiscuous or isolated trunk port.
The default native VLAN for promiscuous trunk port is VLAN 1, the management VLAN. All
untagged packets are forwarded in the native VLAN. Either the primary VLANs or a regular VLAN
can be configured as native VLAN.
Promiscuous trunks cannot be configured to carry secondary VLANs. If a secondary VLAN is
specified in the allowed VLAN list, the configuration is accepted but the port is not
operational/forwarding in the secondary VLAN. This includes even those VLANs that are of
secondary but not associated with any primary VLAN on given port.
On a promiscuous trunk port, the primary VLAN ACL and QoS are applied on ingress traffic coming
in primary VLANs.
On a promiscuous trunk port, no VLAN ACL or QoS is applied to the egress traffic. it is because for
upstream direction, traffic in PVLAN logically flows in the secondary VLAN. Due to VLAN
translation in hardware, information about received secondary VLANs has been lost. No policies are
applied. This restriction also applies to traffic bridged from other ports in the same primary VLANs.
Do not configure port security on PVLAN promiscuous trunk port and vice versa.
If port security is enabled on a promiscuous trunk port, that port may behave in an unpredictable
manner because this functionality is not supported.
Do not configure IEEE 802.1X on a PVLAN promiscuous trunk port.
Community or twoway-community PVLAN trunk ports are not supported.
Note
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
42-14
Chapter 38, "Configuring Quality of Service on
Cisco IOS ACLs applied to the Layer 3 VLAN interface of a
Chapter 42
Configuring Private VLANs
Chapter 51,
OL-25340-01

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents