Private vlans – Brocade BigIron RX Series Configuration Guide User Manual

Page 392

Advertising
background image

314

BigIron RX Series Configuration Guide

53-1002484-04

Private VLANs

11

Private VLANs

A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also
provides additional control over flooding packets on a VLAN.

Figure 30

shows an example of an

application using a private VLAN.

FIGURE 30

Private VLAN used to secure communication between a workstation and servers

This example uses a private VLAN to secure traffic between hosts and the rest of the network
through a firewall. Five ports in this example are members of a private VLAN. The first port (port
3/2) is attached to a firewall. The next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to
hosts that rely on the firewall to secure traffic between the hosts and the rest of the network. In this
example, two of the hosts (on ports 3/5 and 3/6) are in a community private VLAN, and thus can
communicate with one another as well as through the firewall. The other two hosts (on ports 3/9
and 3/10), are in an isolated VLAN and thus can communicate only through the firewall. The two
hosts are secured from communicating with one another even though they are in the same VLAN.

By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside
sources into the private VLAN. If needed, you can override this behavior for broadcast packets,
unknown-unicast packets, or both. (Refer to

“Enabling broadcast, multicast or unknown unicast

traffic to the private VLAN”

on page 318.)

You can configure a combination of the following types of private VLANs:

Primary – The primary private VLAN ports are “promiscuous”. They can communicate with all
the isolated private VLAN ports and community private VLAN ports in the isolated and
community VLANs that are mapped to the promiscuous port.

Secondary – The secondary private VLAN are secure VLANs that are separated from the rest
of the network by the primary private VLAN. Every secondary private VLAN needs to be
associated with a primary private VLAN. There are 2 different types of secondary private VLANs
- 'community' and 'isolated' private VLANs:

Private VLAN

Port-based VLAN

Forwarding among
private VLAN ports

A private VLAN secures traffic
between a primary port and host
ports.

Traffic between the hosts and
the rest of the network must
travel through the primary port.

VLAN 7
primary

VLAN 901, 903
community

VLAN 902
isolated

3/9

3/10

3/2

3/5

3/6

Firewall

Advertising
Popular Brands
Popular manuals