Configuration notes for pvlans and standard vlans – Brocade FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide User Manual

Configuration notes for PVLANs and standard VLANs

• PVLANs are supported on untagged ports on all FastIron platforms. PVLANs are also supported on

tagged ports on devices other than FSX, ICX 6430 and ICX 6430-C12.

• Normally, in any port-based VLAN, the Brocade device floods unknown unicast, unregistered

multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may be
sent only to the CPU for analysis, based on the IGMP snooping configuration. When protocol or
subnet VLANs are enabled, or if PVLAN mappings are enabled, the Brocade device will flood
unknown unicast, unregistered multicast, and broadcast packets in software. The flooding of
broadcast or unknown unicast from the community or isolated VLANs to other secondary VLANs
will be governed by the PVLAN forwarding rules. The switching is done in hardware and thus the
CPU does not enforce packet restrictions. The hardware forwarding behavior is supported on the
FCX, ICX 6650, ICX 6610, ICX 6450, ICX 6430, ICX 6650, ICX 6430-C12 and ICX 6450-C12
platforms.

• There is currently no support for IGMP snooping within PVLANs. In order for clients in PVLANs to

receive multicast traffic, IGMP snooping must be disabled so that all multicast packets are treated
as unregistered packets and are flooded in software to all the ports.

• The FastIron forwards all known unicast traffic in hardware. This differs from the way the BigIron

implements PVLANs, in that the BigIron uses the CPU to forward packets on the primary VLAN
"promiscuous" port. In addition, on the BigIron, support for the hardware forwarding sometimes
results in multiple MAC address entries for the same MAC address in the device MAC address
table. On the FastIron, multiple MAC entries do not appear in the MAC address table because the
FastIron transparently manages multiple MAC entries in hardware.

• To configure a PVLAN, configure each of the component VLANs (isolated, community, and public)

as a separate port-based VLAN:

‐

Use standard VLAN configuration commands to create the VLAN and add ports.

‐

Identify the PVLAN type (isolated, community, or public)

‐

For the primary VLAN, map the other PVLANs to the ports in the primary VLAN

• A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used

depends on the PVLAN mappings. Also, secondary VLANs (isolated and community VLANs) can
be mapped to more than one primary VLAN port.

• You can configure PVLANs and dual-mode VLAN ports on the same device. However, the dual-

mode VLAN ports cannot be members of PVLANs.

• VLAN identifiers configured as part of a PVLAN (primary, isolated, or community) should be

consistent across the switched network. The same VLAN identifiers cannot be configured as a
normal VLAN or a part of any other PVLAN.

• Promiscuous and switch-switch link ports are member ports of the primary VLAN only. All switch-

switch link ports are tagged ports.

• Member ports of isolated and community VLANs cannot be member ports of any other VLAN.
• VLAN classification is performed for all ports in primary and community VLANs based on the

PVLAN ID (PVID) only (no VLAN classification by port, protocol, ACL and so on, if any). For isolated
VLAN ports there is not classification at all (not even on PVLAN ID).

• PVST, when needed in PVLANs, should be enabled on all (primary and secondary) private VLANs.

PVLAN support matrix

TABLE 57

Platform

Forwarding
Type

Tagged
Port

Untagge
d Port

ISL
Port

Multiple Promiscuous Port

ICX-6650

Hardware

Yes

Yes

Yes

Yes

ICX-6610

Hardware

Yes

Yes

Yes

Yes

ICX-6450

Hardware

Yes

Yes

Yes

Yes

ICX-6650
C12

Hardware

Yes

Yes

Yes

Yes

Configuration notes for PVLANs and standard VLANs

414

FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide

53-1003086-04