BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
106 Chapter 4: VLANs BMD00113, September 2009
Private VLANs
Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain.
Private VLANs can control traffic within a VLAN domain, and provide port-based security for host
servers.
Use Private VLANs to partition a VLAN domain into sub-domains. Each sub-domain is comprised
of one primary VLAN and one secondary VLAN, as follows:
Primary VLAN—carries unidirectional traffic downstream from promiscuous ports. Each Pri-
vate VLAN has only one primary VLAN. All ports in the Private VLAN are members of the pri-
mary VLAN.
Secondary VLAN—Secondary VLANs are internal to a private VLAN domain, and are defined
as follows:
Isolated VLAN—carries unidirectional traffic upstream from host servers toward ports in the
primary VLAN and the gateway. Each Private VLAN can contain only one Isolated VLAN.
Community VLAN—carries upstream traffic from ports in the community VLAN to other
ports in the same community, and to ports in the primary VLAN and the gateway. Each
Private VLAN can contain multiple community VLANs.
After you define the primary VLAN and one or more secondary VLANs, you map the secondary
VLAN(s) to the primary VLAN.
Private VLAN Ports
Private VLAN ports are defined as follows:
Promiscuous—A promiscuous port is an uplink port that belongs to the primary VLAN. The
promiscuous port can communicate with all the interfaces, including ports in the secondary
VLANs (Isolated VLAN and Community VLANs). Each promiscuous port can belong to only
one Private VLAN.
Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated port
has complete layer 2 separation from other ports within the same private VLAN (including other
isolated ports), except for the promiscuous ports.
Traffic sent to an isolated port is blocked by the Private VLAN, except the traffic from
promiscuous ports.
Traffic received from an isolated port is forwarded only to promiscuous ports.
Community—A community port is a host port that belongs to a community VLAN. Community
ports can communicate with other ports in the same community VLAN, and with promiscuous
ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and
from isolated ports within the Private VLAN.
Only uplink ports are promiscuous ports. Only downlink ports may be isolated or community ports.