Quick Reference Guide
300 PowerConnect B-Series TI24X Configuration Guide
53-1002269-02
Configuring private VLANs
10
Configuring private VLANs
A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also
provides additional control over flooding packets on a VLAN. Figure 71 shows an example of an
application using a private VLAN.
FIGURE 71 Private VLAN used to secure communication between a workstation and servers
This example uses a private VLAN to secure traffic between hosts and the rest of the network
through a firewall. Five ports in this example are members of a private VLAN. The first port (port 2)
is attached to a firewall. The next four ports (ports 5, 6, 9, and 10) are attached to hosts that rely
on the firewall to secure traffic between the hosts and the rest of the network. In this example, two
of the hosts (on ports 5 and 6) are in a community private VLAN, and thus can communicate with
one another as well as through the firewall. The other two hosts (on ports 9 and 10), are in an
isolated VLAN and thus can communicate only through the firewall. The two hosts are secured from
communicating with one another even though they are in the same VLAN.
By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside
sources into the private VLAN. If needed, you can override this behavior for broadcast packets,
unknown-unicast packets.
You can configure a combination of the following types of private VLANs:
• Primary – The primary private VLAN ports are “promiscuous”. They can communicate with all
the isolated private VLAN ports and community private VLAN ports in the isolated and
community VLANs that are mapped to the promiscuous port.
Private VLAN
Port-based VLAN
Forwarding among
private VLAN ports
A private VLAN secures traffic
between a primary port and host
ports.
Traffic between the hosts and
the rest of the network must
travel through the primary port.
VLAN 7
primary
VLAN 901, 903
community
VLAN 902
isolated
910256
Firewall