Private Vlans - Dell PowerConnect B-RX Configuration Manual

11

Private VLANs

Private VLANs
A private VLAN is a VLAN that has the properties of standard Layer 2 port-based VLANs but also
provides additional control over flooding packets on a VLAN.
application using a private VLAN.
FIGURE 30
This example uses a private VLAN to secure traffic between hosts and the rest of the network
through a firewall. Five ports in this example are members of a private VLAN. The first port (port
3/2) is attached to a firewall. The next four ports (ports 3/5, 3/6, 3/9, and 3/10) are attached to
hosts that rely on the firewall to secure traffic between the hosts and the rest of the network. In this
example, two of the hosts (on ports 3/5 and 3/6) are in a community private VLAN, and thus can
communicate with one another as well as through the firewall. The other two hosts (on ports 3/9
and 3/10), are in an isolated VLAN and thus can communicate only through the firewall. The two
hosts are secured from communicating with one another even though they are in the same VLAN.
By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside
sources into the private VLAN. If needed, you can override this behavior for broadcast packets,
unknown-unicast packets, or both. (Refer to
traffic to the private VLAN"
You can configure a combination of the following types of private VLANs:
•
•
314
Private VLAN used to secure communication between a workstation and servers
A private VLAN secures traffic
between a primary port and host
ports.
Traffic between the hosts and
the rest of the network must
travel through the primary port.
Firewall
on page 318.)
Primary – The primary private VLAN ports are "promiscuous". They can communicate with all
the isolated private VLAN ports and community private VLAN ports in the isolated and
community VLANs that are mapped to the promiscuous port.
Secondary – The secondary private VLAN are secure VLANs that are separated from the rest
of the network by the primary private VLAN. Every secondary private VLAN needs to be
associated with a primary private VLAN. There are 2 different types of secondary private VLANs
- 'community' and 'isolated' private VLANs:
Private VLAN
Port-based VLAN
Forwarding among
private VLAN ports
VLAN 7 VLAN 901, 903
primary community
3/2 3/5 3/6
"Enabling broadcast, multicast or unknown unicast
Figure 30 shows an example of an
VLAN 902
isolated
3/9 3/10
BigIron RX Series Configuration Guide
53-1002253-01