Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

871

872

873

874

875

876

877

878

879

880

FastIron Configuration Guide 813

53-1002494-02

Private VLAN configuration

Configuration notes for PVLANs and standard VLANs

• PVLANs are supported on untagged ports on all FastIron platforms. PVLANs are also supported

on tagged ports on the FCX platform only.

• Normally, in any port-based VLAN, the Brocade device floods unknown unicast, unregistered

multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may

be sent only to the CPU for analysis, based on the IGMP snooping configuration. When protocol

or subnet VLANs are enabled, or if PVLAN mappings are enabled, the Brocade device will flood

unknown unicast, unregistered multicast, and broadcast packets in software. The flooding of

broadcast or unknown unicast from the community or isolated VLANs to other secondary

VLANs will be governed by the PVLAN forwarding rules. The switching is done in hardware and

thus the CPU does not enforce packet restrictions. The hardware forwarding behavior is

supported on the FCX and TurboIron platforms only.

• There is currently no support for IGMP snooping within PVLANs. In order for clients in PVLANs

to receive multicast traffic, IGMP snooping must be disabled so that all multicast packets are

treated as unregistered packets and are flooded in software to all the ports.

• The FastIron forwards all known unicast traffic in hardware. This differs from the way the

BigIron implements PVLANs, in that the BigIron uses the CPU to forward packets on the primary

VLAN "promiscuous" port. In addition, on the BigIron, support for the hardware forwarding

sometimes results in multiple MAC address entries for the same MAC address in the device

MAC address table. On the FastIron, multiple MAC entries do not appear in the MAC address

table because the FastIron transparently manages multiple MAC entries in hardware.

• To configure a PVLAN, configure each of the component VLANs (isolated, community, and

public) as a separate port-based VLAN:

- Use standard VLAN configuration commands to create the VLAN and add ports.

- Identify the PVLAN type (isolated, community, or public)

- For the primary VLAN, map the other PVLANs to the ports in the primary VLAN

• A primary VLAN can have multiple ports. All these ports are active, but the ports that will be

used depends on the PVLAN mappings. Also, secondary VLANs (isolated and community

VLANs) can be mapped to multiple primary VLAN ports.

• You can configure PVLANs and dual-mode VLAN ports on the same device. However, the

dual-mode VLAN ports cannot be members of PVLANs.

• VLAN identifiers configured as part of a PVLAN (primary, isolated, or community) should be

consistent across the switched network. The same VLAN identifiers cannot be configured as a

normal VLAN or a part of any other PVLAN.

• Promiscuous and switch-switch link ports are member ports of the primary VLAN only. All

switch-switch link ports are tagged ports.

• Member ports of isolated and community VLANs cannot be member ports of any other VLAN.

• All member ports that are part of the PVLAN (isolated or secondary) will perform VLAN

classification based on the PVLAN ID (PVID) only (no VLAN classification by port, protocol, ACL

and so on, if any).

• PVST, when needed in PVLANs, should be enabled on all (primary and secondary) private

VLANs.