Filter
Top Products
492 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring private VLANs
13
PowerConnect device will flood unknown unicast, unregistered multicast, and broadcast
packets in software. The flooding of broadcast or unknown unicast from the community or
isolated VLANs to other secondary VLANs will be governed by the PVLAN forwarding rules. The
switching is done in hardware and thus the CPU does not enforce packet restrictions.The
hardware forwarding behavior is supported on the PowerConnect B-Series FCX platforms only.
• There is currently no support for IGMP snooping within PVLANs. In order for clients in PVLANs
to receive multicast traffic, IGMP snooping must be disabled so that all multicast packets are
treated as unregistered packets and are flooded in software to all the ports.
• The PowerConnect forwards all known unicast traffic in hardware. This differs from the way the
BigIron implements PVLANs, in that the BigIron uses the CPU to forward packets on the primary
VLAN "promiscuous" port. In addition, on the BigIron, support for the hardware forwarding
sometimes results in multiple MAC address entries for the same MAC address in the device
MAC address table. On the PowerConnect , multiple MAC entries do not appear in the MAC
address table because the PowerConnect transparently manages multiple MAC entries in
hardware.
• To configure a PVLAN, configure each of the component VLANs (isolated, community, and
public) as a separate port-based VLAN:
- Use standard VLAN configuration commands to create the VLAN and add ports.
- Identify the PVLAN type (isolated, community, or public)
- For the primary VLAN, map the other PVLANs to the ports in the primary VLAN
• A primary VLAN can have multiple ports. All these ports are active, but the ports that will be
used depends on the PVLAN mappings. Also, secondary VLANs (isolated and community
VLANs) can be mapped to multiple primary VLAN ports.
• You can configure PVLANs and dual-mode VLAN ports on the same device. However, the
dual-mode VLAN ports cannot be members of PVLANs.
• VLAN identifiers configured as part of a PVLAN (primary, isolated, or community) should be
consistent across the switched network. The same VLAN identifiers cannot be configured as a
normal VLAN or a part of any other PVLAN.
• Promiscuous and switch-switch link ports are member ports of the primary VLAN only. All
switch-switch link ports are tagged ports.
• Member ports of isolated and community VLANs cannot be member ports of any other VLAN.
• All member ports that are part of the PVLAN (isolated or secondary) will perform VLAN
classification based on the PVLAN ID (PVID) only (no VLAN classification by port, protocol, ACL
and so on, if any).
• PVST, when needed in PVLANs, should be enabled on all (primary and secondary) private
VLANs.
Configuring the primary VLAN
To configure a primary VLAN, enter commands such as the following.
PowerConnect(config)# vlan 7
PowerConnect(config-vlan-7)# untagged ethernet 3/2
PowerConnect(config-vlan-7)# pvlan type primary
PowerConnect(config-vlan-7)# pvlan mapping 901 ethernet 3/2
These commands create port-based VLAN 7, add port 3/2 as an untagged port, identify the VLAN
as the primary VLAN in a PVLAN, and map the other secondary VLANs to the ports in this VLAN.