Private Vlan Port Isolation; Mac-Based Vlan (Vcl) - i3 International S81 User Manual

Adding a new Private
VLAN

Private VLAN Port Isolation

Port Isolation provides for an apparatus and method to isolate ports on layer 2 switches on the same VLAN in order to
restrict traffic flow. The apparatus comprises a switch having plurality of ports, each port configured as a protected port or a
non-protected port. An address table stores an address table having a destination address and port number pair. A
forwarding map generator generates a forwarding map which is responsive to a destination address of a data packet. The
method for isolating ports on a layer 2 switch configures each of the ports on the layer 2 switch as a protected port or a non-
protected port. A destination address on a data packet is matched with a physical address on said layer 2 switch and a
forwarding map is generated for the data packet based upon the destination address of the data packet. The data packet is
then sent to the plurality of ports pursuant to the forwarding map generated based upon whether the ingress port was
configured as a protected or non-protected port.
To Configure Port Isolation in the web interface:

Click Configure / Private VLANs / Port Isolation

Select with port will be enabled for Port Isolation.

Click Apply and click the Save icon in the upper right corner to save the settings or click Reset to cancel. The
Form will return to the previously saved settings.
Private VLAN Port Isolation Configuration Parameters:
Items
Port Members

MAC-Based VLAN (VCL)

MAC address-based VLAN decides the VLAN for forwarding an untagged frame based on the source MAC address of the
frame. A most common way of grouping VLAN members is by port, hence the name port-based VLAN. Typically, the device
adds the same VLAN tag to untagged packets that are received through the same port. Later on, these packets can be
forwarded in the same VLAN. Port-based VLAN is easy to configure, and applies to networks where the locations of
terminal devices are relatively fixed. As mobile office and wireless network access gain more popularity, the ports that
terminal devices use to access the networks are very often non-fixed. A device may access a network through Port A
this time, but through Port B the next time. If Port A and Port B belong to different VLANs, the device will be assigned to a
different VLAN the next time it accesses the network. As a result, it will not be able to use the resources in the old VLAN.
On the other hand, if Port A and Port B belong to the same VLAN, after terminal devices access the network through Port
B, they will have access to the same resources as those accessing the network through Port A, which brings security
issues. To provide user access and ensure data security in the meantime, the MAC-based VLAN technology is developed.
Click to add a new VLAN ID. An empty row is added to the table, and the VLAN can be
configured as needed. Legal values for a VLAN ID are 1 through 4095. The VLAN is enabled on
the selected stack switch unit when you click on "Save". The VLAN is thereafter present on
the other stack switch units, but with no port members. The check box is greyed out when
VLAN is displayed on other stacked switches, but user can add member ports to it. A VLAN
without any port members on any stack unit will be deleted when you click "Save". The
button can be used to undo the addition of new VLANs.
Description
A check box is provided for each port of a private VLAN. When checked, port isolation is
enabled on that port. When unchecked, port isolation is disabled on that port. By default port
isolation is disabled on all ports.
103