Flow of Frames on PVLAN Ports Overview
This topic describes the manner in which traffic that enters the different PVLAN ports, such as promiscuous, isolated, and interswitch link VLANs, is processed. Sample configuration scenarios are used to describe the transmission and processing of packets.
Assume a sample deployment in which a primary VLAN named VP contains ports, p1, p2, t1, t2, i1, i2, cx1, and cx2. The port types of these configured ports are as follows:
Promiscuous ports = p1, p2
ISL ports = t1, t2
Isolated ports = i1, i2
Community VLAN = Cx
Community ports = cx1, cx2
Bridge domains are provisioned for each of the VLANs, namely, Vp, Vi, and Vcx. Assume the bridge domains to be configured as follows:
Vp—BD_primary_Vp (ports contained are p1, t1, i1, i2, cx1, cx2)
Vi—BD_isolate_Vi (ports contained are p1, t1, *i1, *i2)
Vcx—BD_community_Vcx (ports contained are p1, t1, cx1, cx2)
The bridge domains for community, primary, and isolated VLANs are automatically created by the system internally when you configure a bridge domain with a trunk interface, access interface, or interswitch link. The bridge domains contain the same VLAN ID corresponding to the VLANs. To use bridge domains for PVLANs, you must configure the following additional attributes:
Ingress Traffic on Isolated Ports
Consider an ingress port, i1. i1 is mapped to a bridge domain named BD_isolate_Vi. BD_isolate_Vi does not have any isolated ports as an egress member. Frames can only be sent in the egress direction on p1 and t1. When a frame is sent out on p1, it is tagged with the tag of Primary VLAN Vp. A VLAN translation of Vi to Vp is performed. When a frame is propagated out of t1, it is tagged with the tag Vi.
Ingress Traffic on Community ports
Consider an ingress port as cx1. cx1 is mapped to bridge domain BD_community_Vcx. Because of the VLAN membership with the bridge domain, frames can be sent out of p1, t1, cx1, cx2. When a frame is traversed out on p1, it is tagged with tag of Primary VLAN Vp [VLAN translation]. When a frame goes out of t1, it is tagged with tag Vcx.
Ingress Traffic on Promiscuous Ports
Consider a promisicious port p1 as the ingress port. p1 is mapped to bridge domain BD_primary_Vp. Frames can go out of any member port. When a frame goes out of t1, it is tagged with tag Vp. If another promiscuous port exists, that frame is also sent out with Vp.
Ingress Traffic on Interswitch Links
With the Vlan tag Vp, assume the ingress port as t1 mapped to bridge domain BD_primary_Vp. Frames can go out of any member port. When a frame goes out of p1, it is tagged with tag Vp. With the Vlan tag Vi, t1 mapped to bridge domain BD_isolate_Vi. The frame can not egress isolated ports as they are ingress-only members of BD_isolate_Vi. When a frame goes out on p1, it is tagged with tag of Primary VLAN Vp (VLAN translation). When a frame goes out of any other trunk port, it contains the Vi tag. With the Vlan tag Vcx, t1 is mapped to BD_community_Vcx. Frames can go out of p1, t1, cx1, and cx2. When a frame goes out on p1, it is tagged with the tag of primary VLAN Vp (VLAN translation).
Packet Forwarding in PVLANs
Consider a primary VLAN with the following configuration of ports:
Promiscuous P1 P2 Inter Switch Link L1 L2 Isolated I1 I2 Community1 C11 C12 Community2 C21 C22
Internally, one global BD called the primary vlan BD is created that consists of all the ports. One isolation bridge domain consisting of all isolation ports in addition the promiscuous and ISL ports and one bridge domain per community is defined consisting of community ports in addition to the promiscuous and ISL ports internally configured in the system. The bridge domains with the PVLAN ports are as follows:
Primary Vlan BD P1 P2 L1 L2 I1 I2 C11 C12 C21 C22 Isolated BD I1 I2 P1 P2 L1 L2 Community1 BD C11 C12 P1 P2 L1 L2 Community 2 BD C21 C22 P1 P2 L1 L2
The following PVLAN forwarding events take place among these ports with the appropriate VLAN translation as described in the following table:
Port Type To: → From:↓ |
Isolated |
Community |
Promiscuous |
Inter-switch Link |
|---|---|---|---|---|
Isolated |
Dropped |
Dropped |
Primary VLAN tag to Isolation VLAN tag. |
If received with the primary VLAN tag, translate to the isolation VLAN Tag; else dropped |
Promiscuous |
Dropped |
No translation if it is the same community; else dropped. |
Primary VLAN tag to Community VLAN tag. |
If received with primary VLAN tag, translate to community VLAN tag; else no translation if received with same community vlan else dropped. |
Community |
Isolated VLAN tag to Primary VLAN tag |
Community VLAN tag to Primary VLAN tag |
No translation |
If received with isolation or community VLAN tag, translate to Primary VLAN tag; else no translation |
Interswitch Link |
No translation |
No translation |
No translation |
No translation |