Technical Documentation
New
EX Series Search
Related Documentation
Understanding Private VLANs on EX Series Switches
The private VLAN (PVLAN) feature on Juniper Networks EX Series Ethernet Switches allows an administrator to split a broadcast domain into multiple isolated broadcast subdomains, essentially putting a VLAN inside a VLAN. A PVLAN consists of a primary VLAN with other VLANs nested inside it as secondary VLANs. Just like regular VLANs, PVLANs are isolated on Layer 2 and require that a Layer 3 device be used to route traffic among them. PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts.
A PVLAN can be created on a single switch or can be configured to span multiple switches.
 | Note: You can configure the PVLAN to span different lines of supported switches. See the EX Series Switch Software Features Overview for a list of switches that support this feature. |
| Note: Configuring a voice over IP (VoIP) VLAN on PVLAN interfaces is not supported. |
This topic explains the following concepts regarding PVLANs on EX Series switches:
PVLAN Broadcast Domains
A PVLAN is designated the primary VLAN, and other VLANs are nested inside that VLAN as secondary VLANs. The types of PVLAN broadcast domains are:
- Primary VLAN—VLAN used to forward frames downstream to isolated and community VLANs.
- Isolated VLAN—(When a PVLAN is configured on only one switch) A secondary VLAN that receives packets only from the primary VLAN and forwards frames upstream to the primary VLAN.
- Inter-switch isolated VLAN—(When a PVLAN is configured to span multiple switches) A secondary (internal) VLAN that is used to forward isolated VLAN traffic from one switch to another through pvlan-trunk ports.
- Community VLAN—A secondary VLAN that transports frames among community interfaces within the same community and forwards frames upstream to the primary VLAN.
802.1Q Tags Within PVLANs
The primary VLAN of the PVLAN must be associated with an 802.1Q tag regardless of whether the PVLAN is configured on a single switch or is configured to span multiple switches. However, you do not need 802.1Q tags for secondary VLANs when a PVLAN is configured on a single switch.
When a PVLAN spans multiple switches:
- Specify an 802.1Q tag for each community VLAN by setting vlan-id.
- Specify the 802.1Q tag for the inter-switch isolated VLAN by setting isolation-id.
Figure 1 shows a PVLAN spanning multiple switches, where the primary VLAN (100) contains two community domains (300 and 400) and one inter-switch isolated domain.
Figure 1: PVLAN Spanning Multiple Switches
PVLAN Ethernet Switch Ports
PVLANs can have the following types of switch ports:
- Promiscuous port—An upstream (trunk) port that is connected to the routers or shared resources. These ports have Layer 2 connectivity to all the other ports on the switch, including the isolated ports.
- Community port—An access port that belongs to a community. These ports have Layer 2 connectivity with other ports in the same community.
- Isolated port—An access port that is isolated from the other ports on the switch. Isolated ports have Layer 2 connectivity only with promiscuous ports and PVLAN trunk ports. An isolated port cannot communicate with another isolated port even if they are members of the same isolated VLAN (or inter-switch isolated VLAN) domain. Typically, a server (such as a mail server or a backup server) is connected on this type of port.
- PVLAN trunk port—A trunk port that connects two
switches when a PVLAN is configured spanning those switches. The PVLAN
trunk port is a member of all the VLANs within the PVLAN (that is,
the primary VLAN, the community VLANs, and the inter-switch isolated
VLAN). It can communicate with all ports other than the isolated ports.
The membership of the PVLAN trunk port in the inter-switch isolated VLAN is “egress-only”. Incoming traffic on the PVLAN trunk port will never get assigned to the inter-switch isolated VLAN. The communication between a PVLAN trunk port and an isolated port is unidirectional. An isolated port can forward packets to a PVLAN trunk port, but a PVLAN trunk port cannot forward packets to an isolated port.
Table 1 summarizes the Layer 2 connectivity between the different types of ports.
Table 1: PVLAN Ports and Layer 2 Connectivity
Port Mode | Promiscuous Port | Community Port | Isolated Port | PVLAN Trunk Port |
|---|---|---|---|---|
Promiscuous Port | Can communicate. | Can communicate. | Can communicate. | Can communicate. |
Community Port | Can communicate. | Can communicate within the same community. | Cannot communicate. | Can communicate. |
Isolated Port | Can communicate. | Cannot communicate. | Cannot communicate. | Can communicate. Note: This communication is unidirectional. |
PVLAN Trunk Port | Can communicate. | Can communicate within the same community. | Cannot communicate. | Can communicate. |
| Note: If you enable no-mac-learning on a primary VLAN, all isolated VLANs (or the inter-switch isolated VLAN) in the PVLAN inherit that setting. However, if you want to disable MAC address learning on any of the community VLANs, you must configure no-mac-learning on each of those VLANs. |
PVLANs’ Efficient Use of IP Addresses
PVLANs provide IP address conservation and efficient allocation of IP addresses. In a typical network, VLANs usually correspond to a single IP subnet. In private VLANs, the hosts in all the secondary VLANs still belong to the same IP subnet as the subnet allocated to the primary VLAN. Hosts within the secondary VLAN are numbered based on IP subnets associated with the primary VLAN, and their IP subnet masking information reflects that of the primary VLAN subnet.
