Creating a Private VLAN Spanning Multiple EX Series Switches (CLI Procedure)
For security reasons, it is often useful to restrict the flow of broadcast and unknown unicast traffic and to even limit the communication between known hosts. The private VLAN (PVLAN) feature on EX Series switches enables an administrator to split a broadcast domain, also known as a primary VLAN, into multiple isolated broadcast subdomains, also known as secondary VLANs. Splitting the primary VLAN into secondary VLANs essentially nests a VLAN inside another VLAN. This topic describes how to configure a PVLAN to span multiple switches.
Before you begin, configure names for all secondary VLANs that will be part of the primary VLAN. (Unlike the secondary VLANs, you do not need to preconfigure the primary VLAN—this procedure provides the complete configuration of the primary VLAN.) For instructions on configuring the secondary VLANs, see Configuring VLANs for EX Series Switches.
The following rules apply to creating PVLANs:
The primary VLAN must be a tagged VLAN.
You must configure the primary VLAN and the PVLAN trunk port before configuring the secondary VLANs.
Configuring a VoIP VLAN on PVLAN interfaces is not supported.
If the Multiple VLAN Registration Protocol (MVRP) is configured on the PVLAN trunk port, the configuration of secondary VLANs and the PVLAN trunk port must be committed with the same commit operation.
To configure a private VLAN to span multiple switches:
- Configure a name and an 802.1Q tag for the primary VLAN:.
user@switch# set primary-vlan-name vlan-id number
- Set the primary VLAN to have no local switching:
user@switch# set primary-vlan-name no-local-switching
- Set the PVLAN trunk interface that will connect the primary
VLAN to the neighboring switch:
user@switch# set primary-vlan-name interface interface-name pvlan-trunk
- Configure a name and 802.1Q tag for a community VLAN that
spans the switches:
user@switch# set community-vlan-name vlan-id number
- Add access interfaces to the community VLAN:
user@switch# set community-vlan-name interface interface-name
- Specify the primary VLAN of the specified community VLAN:
user@switch# set community-vlan-name primary-vlan primary-vlan-name
- Add the isolated interface to the specified primary VLAN:
user@switch# set primary-vlan-name interface interface-name
To configure an isolated interface, include it as one of the members of the primary VLAN, but do not configure it as belonging to one of the community VLANs.
- Set the 802.1Q tag of the interswitch isolated VLAN:
user@switch# set primary-vlan-name isolation-id number
802.1Q tags are required for interswitch isolated VLANs because IEEE 802.1Q uses an internal tagging mechanism by which a trunking device inserts a 4-byte VLAN frame identification tab into the packet header.
To optionally enable routing between isolated and community VLANs by using a routed VLAN interface (RVI) instead of a promiscuous port connected to a router, see Configuring a Routed VLAN Interface in a Private VLAN on an EX Series Switch.
Only an EX8200 switch or EX8200 Virtual Chassis support the use of an RVI to route Layer 3 traffic between isolated and community VLANs in a PVLAN domain.