![background image](http://html1.mh-extra.com/html/foundry-networks/fastiron-edge-switch-x424/fastiron-edge-switch-x424_manual_2324269285.webp)
Configuring Virtual LANs (VLANs)
December 2005
© Foundry Networks, Inc.
11 - 55
and also are flooded to the other ports in the community VLAN.
•
isolated
– Broadcasts and unknown unicasts received on isolated ports are sent only to the primary port.
They are not flooded to other ports in the isolated VLAN.
•
primary
– The primary private VLAN ports are “promiscuous”. They can communicate with all the isolated
private VLAN ports and community private VLAN ports in the isolated and community VLANs that are
mapped to the promiscuous port.
Configuring the Primary VLAN
NOTE:
The primary private VLAN has only one active port. If you configure the VLAN to have more than one
port, the lowest-numbered port is the active one. The additional ports provide redundancy. If the active port
becomes unavailable, the lowest-numbered available port becomes the active port for the VLAN.
To configure a primary private VLAN, enter commands such as the following:
FastIron SuperX Router(config)# vlan 7
FastIron SuperX Router(config-vlan-7)# untagged ethernet 3/2
FastIron SuperX Router(config-vlan-7)# pvlan type primary
FastIron SuperX Router(config-vlan-7)# pvlan mapping 901 ethernet 3/2
These commands create port-based VLAN 7, add port 3/2 as an untagged port, identify the VLAN as the primary
VLAN in a private VLAN, and map the other private VLANs to the port(s) in this VLAN.
Syntax:
untagged ethernet [<slotnum>/]<portnum> [to [<slotnum>/]<portnum> | ethernet [<slotnum>/]<portnum>]
Syntax:
[no] pvlan type community | isolated | primary
Syntax:
[no] pvlan mapping <vlan-id> ethernet [<slotnum>/]<portnum>
The
untagged
command adds the port(s) to the VLAN.
The
pvlan type
command specifies that this port-based VLAN is a private VLAN. Specify
primary
as the type.
The
pvlan mapping
command identifies the other private VLANs for which this VLAN is the primary. The
command also specifies the primary VLAN ports to which you are mapping the other private VLANs.
•
The <vlan-id> parameter specifies another private VLAN. The other private VLAN you want to specify must
already be configured.
•
The
ethernet
<portnum> parameter specifies the primary VLAN port to which you are mapping all the ports in
the other private VLAN (the one specified by <vlan-id>).
Enabling Broadcast or Unknown Unicast Traffic to the Private VLAN
To enhance private VLAN security, the primary private VLAN does not forward broadcast or unknown unicast
packets to its community and isolated VLANs. For example, if port 3/2 in Figure 11.21 on page 11-53 receives a
broadcast packet from the firewall, the port does not forward the packet to the other private VLAN ports (3/5, 3/6,
3/9, and 3/10).
This forwarding restriction does not apply to traffic from the private VLAN. The primary port does forward
broadcast and unknown unicast packets that are received from the isolated and community VLANs. For example,
if the host on port 3/9 sends an unknown unicast packet, port 3/2 forwards the packet to the firewall.
If you want to remove the forwarding restriction, you can enable the primary port to forward broadcast or unknown
unicast traffic, if desired, using the following CLI method. You can enable or disable forwarding of broadcast or
unknown unicast packets separately.
NOTE:
On Layer 2 Switches and Layer 3 Switches, you also can use MAC address filters to control the traffic
forwarded into and out of the private VLAN. In addition, if you are using a Layer 2 Switch, you also can use ACLs.
Command Syntax
To configure the ports in the primary VLAN to forward broadcast or unknown unicast traffic received from sources
outside the private VLAN, enter the following commands at the global CONFIG level of the CLI:
Summary of Contents for FastIron Edge Switch X424
Page 36: ...Foundry Configuration Guide for the FESX FSX and FWSX 2 12 Foundry Networks Inc December 2005...
Page 56: ...Foundry Configuration Guide for the FESX FSX and FWSX 3 20 Foundry Networks Inc December 2005...
Page 70: ...Foundry Configuration Guide for the FESX FSX and FWSX 4 14 Foundry Networks Inc December 2005...
Page 198: ...Foundry Configuration Guide for the FESX FSX and FWSX 8 38 Foundry Networks Inc December 2005...
Page 316: ...Foundry Configuration Guide for the FESX FSX and FWSX 12 26 Foundry Networks Inc December 2005...
Page 350: ...Foundry Configuration Guide for the FESX FSX and FWSX 15 12 Foundry Networks Inc December 2005...
Page 458: ...Foundry Configuration Guide for the FESX FSX and FWSX 18 18 Foundry Networks Inc December 2005...
Page 712: ...Foundry Configuration Guide for the FESX FSX and FWSX 22 32 Foundry Networks Inc December 2005...
Page 760: ...Foundry Configuration Guide for the FESX FSX and FWSX A 34 Foundry Networks Inc December 2005...
Page 796: ...Foundry Configuration Guide for the FESX FSX and FWSX C 18 Foundry Networks Inc December 2005...
Page 820: ...Foundry Configuration Guide for the FESX FSX and FWSX E 10 Foundry Networks Inc December 2005...