PVLANs are supported on untagged ports on all FastIron platforms.
Normally, in any port-based VLAN, the Brocade device floods unknown unicast, unregistered multicast, and broadcast packets in hardware, although selective packets, such as IGMP, may be sent only to the CPU for analysis, based on the IGMP snooping configuration. When protocol is enabled, or if PVLAN mappings are enabled, the Brocade device will flood unknown unicast, and unregistered multicast packets in software. The flooding of broadcast or unknown unicast from the community or isolated VLANs to other secondary VLANs will be governed by the PVLAN forwarding rules. The switching is done in hardware and thus the CPU does not enforce packet restrictions.
FastIron devices forward broadcast, unregistered-multicast, and unknown unicast traffic in hardware if PVLAN mappings are enabled. When PVLAN mappings are enabled, multiple MAC entries for the same MAC do not appear in the MAC table, instead all the MAC entries are learned in the primary VLAN.
To configure a PVLAN, configure each of the component VLANs (isolated, community, and primary) as a separate port-based VLAN:
Use standard VLAN configuration commands to create the VLAN and add ports.
Identify the PVLAN type (isolated, community, or public)
For the primary VLAN, map the other secondary PVLANs to the ports in the primary VLAN
A primary VLAN can have multiple ports. All these ports are active, but the ports that will be used depends on the PVLAN mappings. Also, secondary VLANs (isolated and community VLANs) can be mapped to more than one primary VLAN port.
You can configure PVLANs and dual-mode VLAN ports on the same device. However, the dual-mode VLAN ports, other than those which are dual-mode in system default VLAN, can be member ports in a PVLAN domain.
VLAN identifiers configured as part of a PVLAN (primary, isolated, or community) should be consistent across the switched network. The same VLAN identifiers cannot be configured as a normal VLAN or a part of any other PVLAN.
Dual mode ports are supported in a private VLAN domain. However, since ISL ports can only be tagged ports, they cannot be enabled on dual-mode ports.
Member ports in a private VLAN domain can be extended to other domains as long as they belong to the same private VLAN type. Refer to the "Possible configurations allowed in a PVLAN" table to know more about allowed configurations in a PVLAN. All user configurations beyond the scope of the table will either not be allowed or will generate a warning message.
PVST, when needed in PVLANs, should be enabled on all (primary and secondary) private VLANs across switches.
LAG is not supported in any PVLAN.
Port MAC security is not supported on ports in a private VLAN domain.
