Configuration notes – Brocade TurboIron 24X Series Configuration Guide User Manual

412

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring private VLANs

•

Secondary – The secondary private VLAN are secure VLANs that are separated from the rest of
the network by the primary private VLAN. Every secondary private VLAN is associated with a
primary private VLAN. The two types of secondary private VLANs are isolated private VLAN and
community private VLAN.

•

Isolated – Broadcasts and unknown-unicasts packet received on isolated ports are sent
only to the primary port. They are not flooded to other ports in the isolated VLAN.
The broadcasts, unknown-unicasts, and unregistered-multicast packets received on
isolated ports are sent to the primary port. They are not flooded to other ports in the
isolated VLAN.

•

Community – Broadcasts and unknown unicasts received on community ports are sent to
the primary port and also are flooded to the other ports in the community VLAN.
The broadcasts, unknown unicasts, and unregistered multicast received on community
ports are sent to the primary port and are flooded to the other ports in the community
VLAN.

Each private VLAN must have a primary VLAN. The primary VLAN is the interface between the
secured ports and the rest of the network. The private VLAN can have any combination of
community and isolated VLANs.The community VLAN and isolated VLAN cannot forward traffic to
each other. You cannot forwarding traffic between different private VLANs.

Table 67

list the differences between private VLANs and standard VLANs.

Configuration notes

NOTE

Devices support 802.1Q tagged ports on private VLAN. Private VLAN is a hardware-based feature.
Private VLANs on the device forwards unknown-unicast, unregistered multicast, and broadcast in
hardware.

•

Normally, in any port-based VLAN, the device floods unknown unicast, unregistered multicast,
and broadcast packets in hardware, although selective packets, such as IGMP, may be sent to
only to the CPU for analysis, based on the IGMP snooping configuration. When Protocol or
Subnet VLANs are enabled, or if private VLAN mappings are enabled, the device will flood
unknown unicast, unregistered multicast, and broadcast packets in software.

•

There is currently no support for IGMP snooping within private VLANs. In order for clients in
private VLANs to receive multicast traffic, IGMP snooping must be disabled so that all multicast
packets are treated as unregistered packets and are flooded in software to all the ports.

TABLE 67

Comparison of private VLANs and standard port-based VLANs

Forwarding behavior

Private VLANs

Standard VLANs

All ports within a VLAN constitute a
common Layer broadcast domain

No

Yes

Broadcasts and unknown unicasts are
forwarded to all the VLAN ports by
default

No (isolated VLAN)
Yes (community VLAN)

Yes

Known unicasts

Yes (forwarding is done only between
ports of the same community VLAN
and the primary VLAN port)

Yes