Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)

For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. This topic describes how to configure a PVLAN to span multiple switches.

Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—the PVLAN is configured as part of this procedure.) The secondary VLANs should be untagged VLANs. It does not impair functioning if you tag the secondary VLANS. However, the tags are not used when a secondary VLAN is configured on a single switch. For directions for configuring the secondary VLANs, see Configuring VLANs for EX Series Switches (CLI Procedure).

The following rules apply to creating PVLANs:

  • The primary VLAN must be a tagged VLAN. We recommend that you configure the primary VLAN first.
  • Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported.
  • If you are going to configure a community VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
  • If you are going to configure an isolation VLAN ID, you must first configure the primary VLAN and the PVLAN trunk port.
  • Secondary VLANs and the PVLAN trunk port must be committed on a single commit if MVRP is configured on the PVLAN trunk port.

To configure a private VLAN to span multiple switches:

  1. Configure the name and 802.1Q tag for a community VLAN that spans the switches:
    [edit vlans]
    user@switch# set community-vlan-name vlan-id number
  2. Add the access interfaces to the specified community VLAN:
    [edit vlans]
    user@switch# set community-vlan-name interface interface-name
  3. Set the primary VLAN of the specified community VLAN:
    [edit vlans]
    user@switch# set community-vlan-name primary-vlan primary-vlan-name
  4. Configure the name and the 802.1Q tag for the primary VLAN:.
    [edit vlans]
    user@switch# set primary-vlan-name vlan-id number
  5. Add the isolated port to the specified primary VLAN:
    [edit vlans]
    user@switch# set primary-vlan-name interface interface-name

    Note: To configure an isolated port, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.

  6. Set the PVLAN trunk interface that will connect the specified VLAN to the neighboring switch:
    [edit vlans]
    user@switch# set primary-vlan-name interface interface-name pvlan-trunk
  7. Set the primary VLAN to have no local switching:
    [edit vlans]
    user@switch# set primary-vlan-name no-local-switching
  8. Set the 802.1Q tag of the interswitch isolated VLAN:
    [edit vlans]
    user@switch# set primary-vlan-name isolation-id number

To optionally enable routing between isolated and community VLANs by using a Routed VLAN Interface (RVI) instead of an external router, see Configuring a Routed VLAN Interface in a Private VLAN (CLI Procedure).

 

Related Documentation

 

Published: 2014-04-23

Previous Page Next Page