Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

871

872

873

874

875

876

877

878

879

880

816 FastIron Configuration Guide

53-1002494-02

Private VLAN configuration

The pvlan type command specifies that this port-based VLAN is a PVLAN and can be of the

following types:

• community – Broadcasts and unknown unicasts received on community ports are sent to the

primary port and also are flooded to the other ports in the community VLAN.

• isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the

primary port. They are not flooded to other ports in the isolated VLAN.

• primary – The primary PVLAN ports are “promiscuous”. They can communicate with all the

isolated PVLAN ports and community PVLAN ports in the isolated and community VLANs that

are mapped to the promiscuous port.

Changing from one PVLAN type to another (for example, from primary to community or vice versa) is

allowed but the mapping will be removed.

Enabling broadcast or unknown unicast traffic

to the PVLAN

To enhance PVLAN security, the primary PVLAN does not forward broadcast or unknown unicast

packets to its community and isolated VLANs, and other ports in the primary VLAN. For example, if

port 3/2 in Figure 90 on page 809 receives a broadcast packet from the firewall, the port does not

forward the packet to the other PVLAN ports (3/5, 3/6, 3/9, and 3/10).

This forwarding restriction does not apply to traffic from the PVLAN. The primary port does forward

broadcast and unknown unicast packets that are received from the isolated and community VLANs.

For example, if the host on port 3/9 sends an unknown unicast packet, port 3/2 forwards the

packet to the firewall.

If you want to remove the forwarding restriction, you can enable the primary port to forward

broadcast or unknown unicast traffic, if desired, using the following CLI method. You can enable or

disable forwarding of broadcast or unknown unicast packets separately.

NOTE

On Layer 2 switches and Layer 3 switches, you also can use MAC address filters to control the traffic

forwarded into and out of the PVLAN. In addition, if you are using a Layer 2 switch, you also can use

ACLs.

NOTE

FCX devices do not support ACLs on interface groups.

CLI example for a general PVLAN network

To configure the PVLANs shown in Figure 90 on page 809, enter the following commands.

Brocade(config)# vlan 901

Brocade(config-vlan-901)# untagged ethernet 3/5 to 3/6

Brocade(config-vlan-901)# pvlan type community

Brocade(config-vlan-901)# exit

Brocade(config)# vlan 902

Brocade(config-vlan-902)# untagged ethernet 3/9 to 3/10

Brocade(config-vlan-902)# pvlan type isolated

Brocade(config-vlan-902)# exit

Brocade(config)# vlan 903

Brocade(config-vlan-903)# untagged ethernet 3/7 to 3/8