Pvlan configuration guidelines and restrictions – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs. Secondary VLANs can
be configured as one of two types: either isolated VLANs or community VLANs. Only one isolated VLAN
can be part of one PVLAN domain.

An isolated VLAN is a secondary VLAN whose distinctive characteristic is that all hosts connected to its
ports are isolated at Layer 2. A community VLAN is a secondary VLAN that is associated to a group of
ports that connect to a designated community of end devices with mutual trust relationships.

A PVLAN is often used to isolate networks from security attacks, or to simplify IP address assignments.

Within the private VLAN, ports can be assigned port types. A port can be assigned to only one kind of
port type at a time. The types of ports available for private VLANs are described in the table below.

Private VLAN terms and definitions

TABLE 60

Term

Description

Isolated port

An isolated port cannot talk to any other port in the private VLAN domain except for promiscuous
ports and traffic ports. If a customer device needs to have access only to a gateway router, then it
should be attached to an isolated port.

Community
port

A community port is part of a group of ports that have Layer 2 communications with one another,
and can also talk to any promiscuous port. For example, if you have two devices that you want to
be isolated from other devices, but still be able to communicate between themselves, then
community ports should be used. You cannot configure multiple community VLANs on a single
port.

Promiscuous
port

A promiscuous port can talk to all other types of ports. A promiscuous port can talk to isolated
ports as well as community ports. Layer 3 gateways, DHCP servers, and other trusted devices
that need to communicate with the customer endpoints are typically connected using promiscuous
ports.

Trunk port

A trunk port connects two switches and carries two or more VLANs.

Promiscuous
trunk port

A promiscuous trunk port carries multiple primary and normal VLANs. Packets are received and
transmitted with primary or regular VLAN tags. Otherwise, the port operates as a promiscuous
port.

Secondary
VLAN

A VLAN used to implement PVLANs. Secondary VLANs are associated with a primary VLAN, and
carry traffic from hosts to other allowed hosts or routers.

Community
VLAN

A secondary VLAN that carries upstream traffic from the community ports to the promiscuous port
gateways, and to other host ports in the same community. Multiple community VLANs are
permitted in a PVLAN.

Primary VLAN

A PVLAN has only one primary VLAN. Every port in a PVLAN is a member of the primary VLAN.
The primary VLAN carries unidirectional traffic downstream from the promiscuous ports to the
isolated and community ports and to other promiscuous ports.

PVLAN configuration guidelines and restrictions

Follow these guidelines and restrictions when configuring VLANs:

• VE configuration is not supported on a primary VLAN.
• IGMP is not supported on private VLANs; however you can create an IGMP configuration. The

configuration succeeds but the hardware is not programmed.

PVLAN configuration guidelines and restrictions

Network OS Administrator’s Guide

365

53-1003225-04