318 BigIron RX Series Configuration Guide53-1002253-01Private VLANs11Enabling broadcast, multicast or unknown unicast traffic to the privateVLANTo enhance private VLAN security, the primary private VLAN does not forward broadcast orunknown unicast packets to its community and isolated VLANs. For example, if port 3/2 inFigure 30 on page 314 receives a broadcast packet from the firewall, the port does not forward thepacket to the other private VLAN ports (3/5, 3/6, 3/9, and 3/10).This forwarding restriction does not apply to traffic from the private VLAN. The primary port doesforward broadcast and unknown unicast packets that are received from the isolated andcommunity VLANs. For example, if the host on port 3/9 sends an unknown unicast packet, port 3/2forwards the packet to the firewall.If you want to remove the forwarding restriction, you can enable the primary port to forwardbroadcast or unknown unicast traffic, if desired, using the following CLI method. You can enable ordisable forwarding of broadcast or unknown unicast packets separately.Using the CLITo configure the ports in the primary VLAN to forward broadcast, multicast or unknown unicasttraffic received from sources outside the private VLAN, enter the following commands at the globalCONFIG level of the CLI.BigIron RX(config)# pvlan-preference broadcast floodBigIron RX(config)# pvlan-preference unknown-unicast floodThese commands enable forwarding of broadcast, multicast and unknown-unicast packets to portswithin the private VLAN. To again disable forwarding, enter a command such as the following.BigIron RX(config)# no pvlan-preference broadcast floodThis command disables forwarding of broadcast packets within the private VLAN.Syntax: [no] pvlan-preference broadcast | unknown-unicast floodCLI example for Figure 30To configure the private VLANs shown in Figure 30 on page 314, enter the following commands.BigIron RX(config)# vlan 901BigIron RX(config-vlan-901)# untagged ethernet 3/5 to 3/6BigIron RX(config-vlan-901)# pvlan type communityBigIron RX(config-vlan-901)# exitBigIron RX(config)# vlan 902BigIron RX(config-vlan-902)# untagged ethernet 3/9 to 3/10BigIron RX(config-vlan-902)# pvlan type isolatedBigIron RX(config-vlan-902)# exitBigIron RX(config)# vlan 903BigIron RX(config-vlan-903)# untagged ethernet 3/5 to 3/6BigIron RX(config-vlan-903)# pvlan type communityBigIron RX(config-vlan-903)# exitBigIron RX(config)# vlan 7BigIron RX(config-vlan-7)# untagged ethernet 3/2BigIron RX(config-vlan-7)# pvlan type primaryBigIron RX(config-vlan-7)# pvlan mapping 901 ethernet 3/2BigIron RX(config-vlan-7)# pvlan mapping 902 ethernet 3/2BigIron RX(config-vlan-7)# pvlan mapping 903 ethernet 3/2