Supported Platforms
Related Documentation
Creating a Private VLAN Spanning Multiple Switches
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature allows you to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a secondary VLAN inside a primary VLAN. This topic describes how to configure a PVLAN to span multiple switches.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (You do not need to preconfigure the primary VLAN—it is configured as part of this procedure.) You do not need to create VLAN IDs (tags) for the secondary VLANs. It does not impair functioning if you tag the secondary VLANS, but tags are not used when secondary VLANs are configured on a single switch.
The following rules apply to creating PVLANs:
- The primary VLAN must be a tagged VLAN.
- If you are going to configure a community VLAN, you must first configure the primary VLAN and the PVLAN trunk port. You must also configure the primary VLAN to be private using the pvlan statement.
- If you are going to configure an isolated VLAN, you must first configure the primary VLAN and the PVLAN trunk port.
If you complete your configuration steps in the order shown, you will not violate these PVLAN rules. To configure a private VLAN to span multiple switches:
- Set the name and VLAN ID (802.1Q tag) for the primary
VLAN:
[edit vlans]
user@switch# set primary-vlan-name vlan-id vlan-id-number - Configure the VLAN to be private:
[edit vlans]
user@switch# set primary-vlan-name pvlan - Configure the trunk interfaces for the primary VLAN:
- Add the trunk interfaces to the primary VLAN:
[edit vlans]
user@switch# set primary-vlan-name interface interface-name - Configure the access interfaces for the community (secondary)
VLANs:
[edit interfaces]
user@switch# set interface-name unit 0 family ethernet-switching port-mode access - Add the access interfaces to the community VLANs:
[edit vlans]
user@switch# set community-vlan-name interface interface-name - For each community VLAN, set the primary VLAN:
[edit vlans]
user@switch# set community-vlan-name primary-vlan primary-vlan-name - Configure an isolated VLAN ID to create an interswitch
isolated domain that spans the switches:
[edit vlans]
user@switch# set primary-vlan-name isolation-vlan-id number - Configure isolated ports:
[edit vlans]
user@switch# set primary-vlan-name interface interface-name isolated
