Generated by Jive on 2012-11-27-08:00

1
Brocade FastIron - Private VLANs
Background information
A private VLAN secures traffic between a primary port and host ports. Traffic between the
hosts and the rest of the network must travel through the primary port. This is a way to have
a fine control over who can access what. You can for example define your ACLs ont the
primary port to precisely define the interaction between hosts. This type of VLAN is generally
used by web hosting companies that own a public IP subnet they have to share with their
customers. The goal is to prevent access inter-clients without needing to use a dedicated
VLAN (thus subnet) for each client.

In the example below, the first port (3/2) is attached to a firewall. The next four ports (ports
3/5, 3/6, 3/9 and 3/10) are attached to hosts that rely on the firewall to secure traffic between
the hosts and the rest of the network. The hosts (3/5, 3/6) that are in a community private
VLAN can communicate with one another as well as through the firewall. The other two
hosts (3/9, 3/10) are in an isolated VLAN and thus can communicate only through the
firewall. The two hosts are secured from communicating with one another even though they
are in the same VLAN.


Brocade FastIron - Private VLANs
Generated by Jive on 2012-11-27-08:00
2
Equipment used
FastIron FCX that runs FCXS07100a.bin (Switch)
FastIron FCX that runs FCXR07100a.bin (Router)

Network Diagram
Brocade FastIron - Private VLANs
Generated by Jive on 2012-11-27-08:00
3
Brocade FastIron - Private VLANs
Generated by Jive on 2012-11-27-08:00
4

Configuration
Switch (Private VLANs)
!vlan 7 name private_vlan by port untagged ethe 1/1/7 pvlan type primary pvlan mapping 902 ethe 1/1/7 pvlan mapping 901 ethe
1/1/7!vlan 901 name community_vlan by port untagged ethe 1/1/9 to 1/1/10 pvlan type community!vlan 902 name isolated_vlan by port
untagged ethe 1/1/11 pvlan type isolated!!pvlan-preference broadcast floodpvlan-preference unknown-unicast flood
!
Router
!interface ethernet 1/1/7 ip address 192.168.7.1 255.255.255.0!

Explanation
The configuration above only works for FastIron 07100 code and below. Please refer
to latest configuration guide to make it work for 07200 and do not hesitate to publish
your solution! PVLAN functionality doesn't work on 7.2, Brocade is aware as the issue
is logged as firmware 7.2.02d defect 364076 PVLAN opened in August 2011.

By default, the private VLAN does not forward broadcast or unknown-unicast packets from
outside sources into the private VLAN. The command pvlan-preference changes this default
behavior to authorize such traffic and be able to discover hosts behing the Primary port.

Apart from this, you can see that the port 1/1/7 is the Primary port. Community and Isolated
private VLANs are mapped to this Primary port. The hosts connected to a Community VLAN
can talk to each other without going through the Primary port. The hosts connected to an
Isolated VLAN can only talk to the Primary port.