A SERVICE OF

logo

Open as PDF
next previous
Private VLANs
This chapter contains information on the creation and management of private virtual local area networks
(VLANs).
About Private VLANs
A Private VLAN divides the original VLAN, now called the Primary VLAN, into sub-VLANs (Secondary VLANs),
while keeping the existing IP subnet and layer 3 configuration. Unlike a regular VLAN, which is a single broadcast
domain, private VLANs partitions one broadcast domain into multiple smaller broadcast subdomains.
After a Private VLAN is configured, the Primary VLAN is used to forward frames downstream to all Secondary
VLANs.
There are two main types of Secondary VLAN:
l
Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other
Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. Only one
Isolated VLAN is allowed in one Private VLAN domain.
l
Community: Any switch ports associated with a common community VLAN can communicate with each other and
with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs
within one Private VLAN domain.
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port.
l
Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This
port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a
type of a port that is allowed to send and receive frames from any other port on the VLAN.
l
Host Ports further divides in two types – Isolated port (I-Port) and Community port (C-port).
l
Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates
only with P-Ports.
l
Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port
communicates with P-Ports and ports on the same community VLAN.
Private VLAN Example
1. Enabling a Private VLAN:
config switch vlan
edit 1000
set private-vlan enable
set isolated-vlan 101
set community-vlans 200-210
end
end
2. Configuring the Private VLAN ports:
config switch interface
edit "port2"
set private-vlan promiscuous
38 FortiSwitchOS-3.2.0