Blade ICE G8124-E Manuale Utente
BLADEOS 6.5.2 Application Guide
98
Chapter 6: VLANs
BMD00220, October 2010
Private VLANs
Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain.
Private VLANs can control traffic within a VLAN domain, and provide port-based security for host
servers.
Private VLANs can control traffic within a VLAN domain, and provide port-based security for host
servers.
Use Private VLANs to partition a VLAN domain into sub-domains. Each sub-domain is comprised
of one primary VLAN and one or more secondary VLANs, as follows:
of one primary VLAN and one or more secondary VLANs, as follows:
Primary VLAN—carries unidirectional traffic downstream from promiscuous ports. Each Pri-
vate VLAN configuration has only one primary VLAN. All ports in the Private VLAN are
members of the primary VLAN.
vate VLAN configuration has only one primary VLAN. All ports in the Private VLAN are
members of the primary VLAN.
Secondary VLAN—Secondary VLANs are internal to a private VLAN domain, and are defined
as follows:
as follows:
Isolated VLAN—carries unidirectional traffic upstream from the host servers toward ports
in the primary VLAN and the gateway. Each Private VLAN configuration can contain only
one isolated VLAN.
in the primary VLAN and the gateway. Each Private VLAN configuration can contain only
one isolated VLAN.
Community VLAN—carries upstream traffic from ports in the community VLAN to other
ports in the same community, and to ports in the primary VLAN and the gateway. Each
Private VLAN configuration can contain multiple community VLANs.
ports in the same community, and to ports in the primary VLAN and the gateway. Each
Private VLAN configuration can contain multiple community VLANs.
After you define the primary VLAN and one or more secondary VLANs, you map the secondary
VLAN(s) to the primary VLAN.
VLAN(s) to the primary VLAN.
Private VLAN Ports
Private VLAN ports are defined as follows:
Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The promis-
cuous port can communicate with all the interfaces, including ports in the secondary VLANs
(Isolated VLAN and Community VLANs). Each promiscuous port can belong to only one Pri-
vate VLAN.
cuous port can communicate with all the interfaces, including ports in the secondary VLANs
(Isolated VLAN and Community VLANs). Each promiscuous port can belong to only one Pri-
vate VLAN.
Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated port
has complete layer 2 separation from other ports within the same private VLAN (including other
isolated ports), except for the promiscuous ports.
has complete layer 2 separation from other ports within the same private VLAN (including other
isolated ports), except for the promiscuous ports.
Traffic sent to an isolated port is blocked by the Private VLAN, except the traffic from
promiscuous ports.
promiscuous ports.
Traffic received from an isolated port is forwarded only to promiscuous ports.
Community—A community port is a host port that belongs to a community VLAN. Community
ports can communicate with other ports in the same community VLAN, and with promiscuous
ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and
from isolated ports within the Private VLAN.
ports can communicate with other ports in the same community VLAN, and with promiscuous
ports. These interfaces are isolated at layer 2 from all other interfaces in other communities and
from isolated ports within the Private VLAN.