Command Line Reference Guide
44
Private VLAN (PVLAN)
FTOS supports the private VLAN (PVLAN) feature on the S5000 switch.
Private VLANs extend the FTOS security suite by providing Layer 2 isolation between ports within the same private
VLAN. A private VLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
The FTOS private VLAN implementation is based on RFC 3069.
For more information, refer to the following commands.
Private VLAN Concepts
Primary VLAN:
The primary VLAN is the base VLAN and can have multiple secondary VLANs. There are two types of secondary VLAN
— community VLAN and isolated VLAN:
• A primary VLAN can have any number of community VLANs and isolated VLANs.
• Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an
isolated port is forwarded only to promiscuous ports or trunk ports.
Community VLAN:
A community VLAN is a secondary VLAN of the primary VLAN:
• Ports in a community VLAN can talk to each other. Also, all ports in a community VLAN can talk to all
promiscuous ports in the primary VLAN and vice-versa.
• Devices on a community VLAN can communicate with each other using member ports, while devices in an
isolated VLAN cannot.
Isolated VLAN:
An isolated VLAN is a secondary VLAN of the primary VLAN:
• Ports in an isolated VLAN cannot talk to each other. Servers would be mostly connected to isolated VLAN ports.
• Isolated ports can talk to promiscuous ports in the primary VLAN, and vice-versa.
Port Types:
•
Community port
: A community port is a port that belongs to a community VLAN and is allowed to communicate
with other ports in the same community VLAN and with promiscuous ports.
•
Isolated port
: An isolated port is a port that, in Layer 2, can only communicate with promiscuous ports that are in
the same PVLAN.
•
Promiscuous port
: A promiscuous port is a port that is allowed to communicate with any other port type.
•
Trunk port
: A trunk port carries VLAN traffic across switches:
– A trunk port in a PVLAN is always tagged.
– Primary or secondary VLAN traffic is carried by the trunk port in Tagged mode. The tag on the packet
helps identify the VLAN to which the packet belongs.
1069