Supported Platforms
Creating a Private VLAN on a Single EX Series Switch (CLI Procedure)
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. This topic describes how to configure a PVLAN on a single switch.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—the PVLAN is configured as part of this procedure.) The secondary VLANs should be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch. For directions for configuring the secondary VLANs, see Configuring VLANs for EX Series Switches (CLI Procedure).
Keep these rules in mind when configuring a PVLAN on a single switch:
- The primary VLAN must be a tagged VLAN.
- Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
To configure a private VLAN on a single switch:
- Set the VLAN ID for the primary VLAN:
[edit vlans]
user@switch# set primary-vlan-name vlan-id vlan-id-number - Set the interfaces and port modes:
- Configure the primary VLAN to have no-local-switching:
[edit vlans]
user@switch# set vlan-id .vlan-id-number no-local-switching - For each community VLAN, configure access interfaces:
[edit vlans]
user@switch# set community-vlan-name interface interface-name - For each community VLAN, set the primary VLAN:
[edit vlans]
user@switch# set community-vlan-name primary-vlan primary-vlan-name
Isolated VLANs are not configured as part of this process, but instead are created internally if no-local-switching is enabled on the primary VLAN and the isolated VLAN has access interfaces as members.
To optionally enable routing between isolated and community VLANs by using a Routed VLAN Interface (RVI) instead of an external router, see Configuring a Routed VLAN Interface in a Private VLAN (CLI Procedure).
