Chapter 47: Private Port VLANs
660 Section VII: Virtual LANs
Overview
Private VLANs create special broadcast domains in which the traffic of the
member ports is restricted to just uplink ports. Ports in a private port VLAN
are only allowed to forward traffic to and receive traffic from a designated
uplink port, and are prohibited from forwarding traffic to each other.
An example application of a private port VLAN would be a library in which
user booths each have a computer with Internet access. In this situation it
would usually be undesirable to allow communication between these
individual PCs. Connecting the computers to ports within a private isolated
VLAN would enable each computer to access the Internet or a library
server via a single connection, while preventing access between the
computers in the booths.
Another application for private port VLANs is to simplify IP address
assignments. Ports can be isolated from each other while still belonging to
the same subnet.
A private port VLAN consists of one or more host ports and an uplink port.
Host Ports The host ports of a private port VLAN can only forward traffic to and
receive traffic from an uplink port and are prohibited from forwarding traffic
to each other. A private port VLAN can have any number of host ports on
the switch, up to all the ports, minus the uplink port. Host ports cannot be
members of static port trunks or LACP trunks. A port can be a host port of
only one private port VLAN at a time.
The host ports are untagged. VLAN membership is defined by their
PVIDs, which are equivalent to the ID of the VLANs. The devices to which
they are connected should not send tagged packets.
Uplink Port The uplink port, also referred to as the promiscuous port, can
communicate with all the host ports in its VLAN. A private port VLAN can
have only one uplink port, but it can be any port on the switch. A port can
be an uplink port of just one private port VLAN at a time. The uplink port
cannot be a static port trunk or an LACP trunk.
The uplink port is untagged. It does not include tagged VLAN information
in the packets that it forwards to host ports or the device to which it is
connected. Thus, its network counterpart should not send tagged packets.
To Next Page
Loading...
