Document ID: 10584
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Support for the PVLAN Feature in Cisco Catalyst Switches
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
Private VLANs (PVLANs) provide Layer (L2) isolation between ports within the same VLAN. The table in this document summarizes the support of the PVLAN feature in Cisco Catalyst switches.
Refer to Securing Networks with Private VLANs and VLAN Access Control Lists for more information on how to understand and implement networks that use PVLANs. Click on the Catalyst switch in the table in this document. This will provide the step-by-step configuration guide on how to configure PVLANs on specific Catalyst switches.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Support for the PVLAN Feature in Cisco Catalyst Switches
This table provides information about the PVLAN feature support in Cisco Catalyst switches:
|
Catalyst Platform |
PVLAN Supported Minimum Software Version |
Isolated VLAN |
PVLAN Edge (Protected Port) |
Community VLAN |
|---|---|---|---|---|
|
Catalyst 6500/6000 - Hybrid mode (CatOS on Supervisor and Cisco IOSĀ® on MSFC) |
5.4(1) on Supervisor and 12.0(7)XE1 on MSFC |
Yes |
Not Supported |
Yes |
|
Catalyst 6500/6000 - Native mode (Cisco IOSĀ® System software on both Supervisor and MSFC) |
12.1(8a)EX, 12.1(11b)E1 and later. |
Yes |
Not Supported |
Yes |
|
Catalyst 5500/5000 |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
|
6.2(1) |
Yes |
Not Supported |
Yes |
|
|
12.1(8a)EW |
Yes |
Not Supported |
Yes. 12.2(20)EW onwards. |
|
|
Not Supported |
Not Supported |
Yes. 12.1(4)EA1 onwards. |
Not Supported |
|
|
Not Supported |
Not Supported |
Yes. 12.0(5.2)WC1, 12.1(4)EA1 and later. |
Not Supported |
|
|
Not Supported |
Not Supported |
Yes.12.0(5)XU (on 8MB switches only) onwards. |
Not Supported |
|
|
Catalyst 2948G-L3 / 4908G-L3 |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
|
Catalyst 1900 |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
|
Catalyst 8500 |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
|
12.2(20)SE - EMI |
Yes |
Yes. 12.1(19)EA1 onwards. |
Yes |
|
|
12.2(20)SE - EMI |
Yes |
Yes. 12.1(11)AX onwards. |
Yes |
|
|
12.2(25)EY - EMI |
Yes |
Yes. 12.1(14)AX onwards. |
Yes |
|
|
Not Supported |
Not Supported |
Yes. 12.1(13)AY onwards. |
Not Supported |
|
|
6.2 |
Yes |
Not Supported |
Yes |
|
|
Not Supported |
Not Supported |
Yes. 12.1(6)EA2 onwards. |
Not Supported |
|
|
Not Supported |
Not Supported |
Yes. 12.1(11)AX onwards. |
Not Supported |
|
|
Not Supported |
Not Supported |
Yes. 12.2(25)FX and later. |
Not Supported |
|
|
Catalyst Express 500 |
Not Supported |
Not Supported |
Not Supported |
Not Supported |
Additional Notes:
-
The PVLAN edge (protected port) is a feature that has only local significance to the switch, and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch. Therefore, it provides isolation. Traffic cannot be forwarded between protected ports at Layer 2. All traffic passing between protected ports must be forwarded through a Layer 3 device.
-
PVLAN ports cannot be trunk ports, cannot channel, cannot have dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN) destination.
-
PVLAN is supported on sc0 in the Catalyst 4500/4000 and Catalyst 6500/6000 that run CatOS, in software release 6.3(1) and later.
-
Four MB Catalyst 2900XL Series Switches do not support the protected port feature, as these cannot be upgraded to Cisco IOS 12.0(5) XU or later code. The latest version of code that runs on the Catalyst 2900XL is Cisco IOS 11.2(8)SA6.
Two-way community VLANS in PVLANs are currently not supported on the Catalyst 4500/4000 Series Switches that run Cisco IOS. Refer to Configuring Private VLANs for additional restrictions.
-
PVLAN support on Firewall Services Module (FWSM) begins in software version 3.1. If you run a software version earlier than 3.1, the only possible workaround is to connect the promiscuous port of the PVLAN using the crossover cable to a regular access port. Then, make a firewall for the VLAN of that access port.
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for LAN |
| Network Infrastructure: LAN Routing and Switching |
| Network Infrastructure: Getting Started with LANs |
Related Information
- Securing Networks with Private VLANs and VLAN Access Control Lists
- Configuring Isolated Private VLANs on Catalyst Switches
- LAN Switching Product Support
- LAN Switching Technology Support
- Technical Support & Documentation - Cisco Systems
| Updated: Dec 08, 2006 | Document ID: 10584 |