Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding Private VLANs on a Junos Fusion Enterprise

This topic describes private VLANs (PVLANs) in a Junos Fusion Enterprise.

This topic covers:

PVLANs on a Junos Fusion Enterprise Overview

Junos Fusion Enterprise (JFE) supports private VLANs (PVLANs). PVLANs on a Junos Fusion Enterprise are an extension of PVLANs on standalone switches that enables PVLANs on extended ports on satellite devices.

PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the known communication between known hosts. PVLAN is a standard introduced by RFC 5517 to achieve port or device isolation in a Layer 2 VLAN by partitioning a VLAN broadcast domain (also called a primary VLAN) into smaller subdomains (also called secondary VLANs).

PVLANs can be used for such purposes as:

  • To help ensure the security of service providers sharing a server farm

  • To provide security to subscribers of various service providers sharing a common metropolitan area network

  • To achieve isolation within the same subnet in a very large enterprise network

In a Junos Fusion Enterprise, PVLANs can be configured on ports belonging to the aggregation device or to an extended port on a satellite device.

PVLAN concepts for standalone switches apply to PVLANs on a Junos Fusion Enterprise. See Understanding Private VLANs.


Some “Guidelines and Restrictions for PVLANs” in Understanding Private VLANs, however, do not apply to PVLANs on a Junos Fusion Enterprise for the following reasons:

Understanding the Configuration of PVLANs in a Junos Fusion Enterprise

Like all features in a Junos Fusion Enterprise, PVLANs are configured from the aggregation devices.

Junos Fusion Enterprise PVLAN topologies support the following:

  • Multiple satellite devices can be clustered into a group and cabled into the JFE as a group instead of as individual satellite devices.

  • Aggregation device native ports (that is, ports on the aggregation device that are not acting as cascade ports) or satellite device extended ports can act as promiscuous ports, isolated ports, or community VLAN ports. See Understanding Private VLANs for definitions of PVLAN port types. These port types are also described in RFC 5517.

  • The promiscuous port can be attached to a core switch or router through physical interfaces or aggregated links.

  • PVLANs are supported in dual aggregation device JFEs.

Best Practice:

We recommend the following configuration guidelines for PVLANs in a Junos Fusion Enterprise:

  • In a dual-aggregation device JFE, we recommend that you use the interchassis link (ICL) as the inter-switch link for PVLAN inter-switching. Although any port link in the JFE could serve as the inter-switch link, the high-bandwidth requirements on the inter-switch link make the ICL the best choice.

  • PVLAN ports can span across the switches in the JFE. We recommend that you interconnect 10-gigabit or 40-gigabit ports as they provide the high bandwidth needed for PVLAN trunk traffic.

Limitations for PVLANs on a Junos Fusion Enterprise

Consider the following limitations when you configure PVLANs on a Junos Fusion Enterprise:

  • PVLANs on a JFE do not work if local switching is enabled on satellite devices.

  • You cannot change the role of a PVLAN bridge domain from primary VLAN to secondary VLAN or the reverse in a single commit cycle.

  • Protocols configured per VLAN cannot be configured on secondary VLANs. Secondary VLANs inherit protocol configurations from the primary VLAN.