![background image](http://html1.mh-extra.com/html/foundry-networks/fastiron-edge-switch-x424/fastiron-edge-switch-x424_manual_2324269283.webp)
Configuring Virtual LANs (VLANs)
December 2005
© Foundry Networks, Inc.
11 - 53
Figure 11.21
Private VLAN used to secure communication between a workstation and servers
This example uses a private VLAN to secure traffic between hosts and the rest of the network through a firewall.
Five ports in this example are members of a private VLAN. The first port (port 3/2) is attached to a firewall. The
next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to hosts that rely on the firewall to secure traffic between
the hosts and the rest of the network. In this example, two of the hosts (on ports 3/5 and 3/6) are in a community
private VLAN, and thus can communicate with one another as well as through the firewall. The other two hosts
(on ports 3/9 and 3/10), are in an isolated VLAN and thus can communicate only through the firewall. The two
hosts are secured from communicating with one another even though they are in the same VLAN.
By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside sources into
the private VLAN. If needed, you can override this behavior for broadcast packets, unknown-unicast packets, or
both. (See “Enabling Broadcast or Unknown Unicast Traffic to the Private VLAN” on page 11-55.)
You can configure a combination of the following types of private VLANs:
•
Primary – The primary private VLAN ports are “promiscuous”. They can communicate with all the isolated
private VLAN ports and community private VLAN ports in the isolated and community VLANs that are
mapped to the promiscuous port.
•
Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port.
They are not flooded to other ports in the isolated VLAN.
•
Community – Broadcasts and unknown unicasts received on community ports are sent to the primary port
and also are flooded to the other ports in the community VLAN.
Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the secured ports and
the rest of the network. The private VLAN can have any combination of community and isolated VLANs.
Private VLAN
Forwarding among
private VLAN ports
VLAN 7
primary
3/9
3/10
VLAN 902
isolated
VLAN 901, 903
community
3/2
A private VLAN secures traffic
between a primary port and host
ports.
Traffic between the hosts and
the rest of the network must
travel through the primary port.
Port-based VLAN
3/5
3/6
Firewall
Summary of Contents for FastIron Edge Switch X424
Page 36: ...Foundry Configuration Guide for the FESX FSX and FWSX 2 12 Foundry Networks Inc December 2005...
Page 56: ...Foundry Configuration Guide for the FESX FSX and FWSX 3 20 Foundry Networks Inc December 2005...
Page 70: ...Foundry Configuration Guide for the FESX FSX and FWSX 4 14 Foundry Networks Inc December 2005...
Page 198: ...Foundry Configuration Guide for the FESX FSX and FWSX 8 38 Foundry Networks Inc December 2005...
Page 316: ...Foundry Configuration Guide for the FESX FSX and FWSX 12 26 Foundry Networks Inc December 2005...
Page 350: ...Foundry Configuration Guide for the FESX FSX and FWSX 15 12 Foundry Networks Inc December 2005...
Page 458: ...Foundry Configuration Guide for the FESX FSX and FWSX 18 18 Foundry Networks Inc December 2005...
Page 712: ...Foundry Configuration Guide for the FESX FSX and FWSX 22 32 Foundry Networks Inc December 2005...
Page 760: ...Foundry Configuration Guide for the FESX FSX and FWSX A 34 Foundry Networks Inc December 2005...
Page 796: ...Foundry Configuration Guide for the FESX FSX and FWSX C 18 Foundry Networks Inc December 2005...
Page 820: ...Foundry Configuration Guide for the FESX FSX and FWSX E 10 Foundry Networks Inc December 2005...