BigIron RX Series Configuration Guide 31553-1002253-01Private VLANs 11• Isolated – Broadcasts and unknown unicasts received on isolated ports are sent only tothe primary port. They are not flooded to other ports in the isolated VLAN.• Community – Broadcasts and unknown unicasts received on community ports are sent tothe primary port and also are flooded to the other ports in the community VLAN.Each private VLAN must have a primary VLAN. The primary VLAN is the interface between thesecured ports and the rest of the network. The private VLAN can have any combination ofcommunity and isolated VLANs. (Refer to “Configuration rules” on page 316.)Table 66 list the differences between private VLANs and standard VLANs.Implementation notes• The private VLAN implementation in the current release uses the CPU for forwarding packetson the primary VLAN’s “promiscuous” port. Other forwarding is performed in the hardware.Support for the hardware forwarding in this feature sometimes results in multiple MAC addressentries for the same MAC address in the device’s MAC address table. In this case, each of theentries is associated with a different VLAN. The multiple entries are a normal aspect of theimplementation of this feature and do not indicate a software problem.• By default, the primary VLAN does not forward broadcast or unknown unicast packets into theprivate VLAN. You also can use MAC address filters to control traffic forwarded into and out ofthe private VLAN. If you are implementing the private VLAN on a Layer 2 Switch, you also canuse ACLs to control the traffic into and out of the private VLAN.Configuration notes• When Private VLAN mappings are enabled, the BigIron RX forwards unknown unicast, unknownmulticast, and broadcast packets in software. By default, the device forwards unknownunicast, unknown multicast, and broadcast packets in hardware.• Release 02.4.00 supports private VLANs on untagged ports only. You cannot configureisolated, community, or primary VLANs on 802.1Q tagged ports.• The device forwards all known unicast traffic in hardware. On the BigIron RX, multiple MACentries do not appear in the MAC address table because the device transparently managesmultiple MAC entries in hardware.• There is currently no support for IGMP Snooping within Private VLANs. In order to let clients inPrivate VLANs get multicast traffic, IGMP Snooping must be disabled, so that all multicastpackets are treated as unregistered multicast packets and get flooded in software to all theports.• You can configure private VLANs and dual-mode VLAN ports on the same device. However, thedual-mode VLAN ports cannot be members of Private VLANs.TABLE 66 Comparison of private VLANs and standard port-based VLANsForwarding behavior Private VLANs Standard VLANsAll ports within a VLAN constitute acommon Layer broadcast domainNo YesBroadcasts and unknown unicastsare forwarded to all the VLAN’s portsby defaultNo (isolated VLAN)Yes (community VLAN)YesKnown unicasts Yes Yes