RackSwitch G8000 Application Guide
Chapter 3: VLANs
59BMD00041, November 2008
Private VLANs
Private VLANs provide Layer 2 isolation between the ports within the same broadcast domain.
Private VLANs can control traffic within a VLAN domain, and provide port-based security for
host servers.
Use Private VLANs to partition a VLAN domain into sub-domains. Each sub-domain is com-
prised of one primary VLAN and one or more secondary VLANs, as follows:
Primary VLAN—carries unidirectional traffic downstream from promiscuous ports. Each
Private VLAN has only one primary VLAN. All ports in the Private VLAN are members
of the primary VLAN.
Secondary VLAN—Secondary VLANs are internal to a private VLAN domain, and are
defined as follows:
Isolated VLAN—carries unidirectional traffic upstream from the host servers toward
ports in the primary VLAN and the gateway. Each Private VLAN can contain only
one Isolated VLAN.
Community VLAN—carries upstream traffic from ports in the community VLAN to
other ports in the same community, and to ports in the primary VLAN and the gate-
way. Each Private VLAN can contain multiple community VLANs.
After you define the primary VLAN and one or more secondary VLANs, you map the second-
ary VLAN(s) to the primary VLAN.
Private VLAN ports
Private VLAN ports are defined as follows:
Promiscuous—A promiscuous port is a port that belongs to the primary VLAN. The pro-
miscuous port can communicate with all the interfaces, including ports in the secondary
VLANs (Isolated VLAN and Community VLANs). Each promiscuous port can belong to
only one Private VLAN.
Isolated—An isolated port is a host port that belongs to an isolated VLAN. Each isolated
port has complete layer 2 separation from other ports within the same private VLAN
(including other isolated ports), except for the promiscuous ports.
Traffic sent to an isolated port is blocked by the Private VLAN, except the traffic
from promiscuous ports.
Traffic received from an isolated port is forwarded only to promiscuous ports.
