Configuration Guide User guide
FastIron Configuration Guide 809
53-1002494-02
Private VLAN configuration
Private VLAN configuration
A private VLAN (PVLAN) is a VLAN that has the properties of standard Layer 2 port-based VLANs but
also provides additional control over flooding packets on a VLAN. Figure 90 shows an example of
an application using a PVLAN.
FIGURE 90 PVLAN used to secure communication between a workstation and servers
This example uses a PVLAN to secure traffic between hosts and the rest of the network through a
firewall. Five ports in this example are members of a PVLAN. The first port (port 3/2) is attached to
a firewall. The next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to hosts that rely on the
firewall to secure traffic between the hosts and the rest of the network. In this example, two of the
hosts (on ports 3/5 and 3/6) are in a community PVLAN, and thus can communicate with one
another as well as through the firewall. The other two hosts (on ports 3/9 and 3/10), are in an
isolated VLAN and thus can communicate only through the firewall. The two hosts are secured from
communicating with one another even though they are in the same VLAN.
By default, in the FCX platform, the device will forward broadcast, unregistered multicast, and
unknown unicast packets from outside sources into the PVLAN.
By default, in FastIron platforms other than the FCX, the device will not forward broadcast,
unregistered multicast, and unknown unicast packets from outside sources into the PVLAN. If
needed, you can override this behavior for broadcast packets, unknown-unicast packets, or both.
(Refer to “Displaying PVLAN information” on page 825.)
Private VLAN
Port-based VLAN
Forwarding among
private VLAN ports
A private VLAN secures traffic
between a primary port and host
ports.
Traffic between the hosts and
the rest of the network must
travel through the primary port.
VLAN 7
primary
VLAN 901, 903
community
VLAN 902
isolated
3/9 3/103/2 3/5 3/6
Firewall