Networking Requirements

Figure 1. PVLAN Configuration Example

As shown in Figure 1, in an enterprise network, all employees have the access authorization to the enterprise server. However, it is desirable that some employees within the enterprise can communicate with each other, while some employees are isolated from each other.

In order to achieve this, PVLAN feature can be deployed on the switch that connects the terminal and enterprise server. PVLAN not only meets the network isolation demands, but also addresses the problem of VLAN ID shortage, and is easy to maintain by the network administrator.

Complete the following configurations on the Switch:

Procedure

Step1         Create the secondary VLANs.

admin@XorPlus# set vlans vlan-id 2 private-vlan mode isolated
admin@XorPlus# set vlans vlan-id 3 private-vlan mode community

Step2         Create the primary VLAN.

admin@XorPlus# set vlans vlan-id 5 private-vlan mode primary

Step3         Associate the secondary VLAN to the primary VLAN.

admin@XorPlus# set vlans vlan-id 5 private-vlan association 2-3

Step4         Configure the ports connected to the hosts as the PVLAN host ports.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching port-mode pvlan-host
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching port-mode pvlan-host

Step5         Configure the port connected to the Server as the promiscuous port.

admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching port-mode pvlan-promiscuous

Step6         Add the host ports into the secondary VLAN and set the native VLAN of the host port as the secondary VLAN ID.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/3 family ethernet-switching native-vlan-id 3
admin@XorPlus# set interface gigabit-ethernet ge-1/1/4 family ethernet-switching native-vlan-id 3

Step7         Add the promiscuous port into the primary VLAN and set the native VLAN of the promiscuous port as the primary VLAN ID.

admin@XorPlus# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 5

Step8         Commit the configurations.

admin@XorPlus# commit

Verify the Configuration

admin@Xorplus# run show vlans private-vlan
Primary   Secondary  Type            Tag         Interfaces
-------   ---------  -----------     --------    --------------------------
5                    primary         untagged    te-1/1/1                                                  
                                       tagged  
          2          isolated        untagged    ge-1/1/1, ge-1/1/2                                           
                                       tagged  
          3          community       untagged    ge-1/1/3, ge-1/1/4                                 
                                       tagged  
admin@Xorplus# run show vlans private-vlan type
Vlan Type
---- -----------
5    primary
2    isolated
3    community

The Server, Host A, Host B, Host C and Host D are on the same subnet.

Host A, Host B, Host C and Host D can communicate with the Server.

Host A and Host B cannot communicate with each other at Layer 2.

Host C and Host D can communicate with each other at Layer 2.

Host A and Host B cannot communicate with Host C and Host D at Layer 2.