Configuring Virtual LANs (VLANs)
7 - 51
active port in the primary VLAN and with each other.
• isolated – specifies that the VLAN is a community private VLAN. The ports can communicate only with the
active port in the primary VLAN. They cannot communicate with one another or with any other ports.
• primary – specifies that the VLAN is a primary private VLAN. See “Configuring the Primary VLAN” .
Configuring the Primary VLAN
Use the following CLI method to configure the primary VLAN.
NOTE: The primary private VLAN has only one active port. If you configure the VLAN to have more than one
port, the lowest-numbered port is the active one. The additional ports provide redundancy. If the active port
becomes unavailable, the lowest-numbered available port becomes the active port for the VLAN.
USING THE CLI
To configure a primary private VLAN, enter commands such as the following:
HP9300(config)# vlan 7
HP9300(config-vlan-7)# untagged ethernet 3/2
HP9300(config-vlan-7)# pvlan type primary
HP9300(config-vlan-7)# pvlan mapping 901 ethernet 3/2
These commands create port-based VLAN 7, add port 3/2 as an untagged port, identify the VLAN as the primary
VLAN in a private VLAN, and map the other private VLANs to the port(s) in this VLAN.
Syntax:
untagged et
hernet <portnum> [to <portnum> | et
her
n
et <portnum>]
Syntax:
[no] pvlan type community | isolated | primary
Syntax:
[no] pvl
an mapping <vl
an-
id> ethernet <portnum>
The tagged or untagged command adds the port(s) to the VLAN. For syntax information and more examples,
see the “Configuring Virtual LANs (VLANs)” chapter of the
Installation and Getting Started Guide
.
NOTE: You can add the port as a tagged port if needed. If you add the port as a tagged port, you must also add
the port as a tagged port to the isolated and community VLANs. See “CLI Example for Figure 7.18” on page 7-52.
The pvlan type command specifies that this port-based VLAN is a private VLAN. Specify primary as the type.
The pvlan mapping command identifies the other private VLANs for which this VLAN is the primary. The
command also specifies the primary VLAN ports to which you are mapping the other private VLANs.
• The <vlan-id> parameter specifies another private VLAN. The other private VLAN you want to specify must
already be configured.
•The ethernet <portnum> parameter specifies the primary VLAN port to which you are mapping all the ports in
the other private VLAN (the one specified by <vlan-id>).
Enabling Broadcast or Unknown Unicast Traffic to the Private VLAN
To enhance private VLAN security, the primary private VLAN does not forward broadcast or unknown unicast
packets to its community and isolated VLANs. For example, if port 3/2 in Figure 7.18 on page 7-48 receives a
broadcast packet from the firewall, the port does not forward the packet to the other private VLAN ports (3/5, 3/6,
3/9, and 3/10).
This forwarding restriction does not apply to traffic from the private VLAN. The primary port does forward
broadcast and unknown unicast packets that are received from the isolated and community VLANs. For example,
if the host on port 3/9 sends an unknown unicast packet, port 3/2 forwards the packet to the firewall.
If you want to remove the forwarding restriction, you can enable the primary port to forward broadcast or unknown
unicast traffic, if desired, using the following CLI method. You can enable or disable forwarding of broadcast or
unknown unicast packets separately.
To Next Page
