A private VLAN secures traffic between a primary port and host ports. Traffic between the hosts and the rest of the network must travel through the primary port. This is a way to have a fine control over who can access what. You can for example define your ACLs ont the primary port to precisely define the interaction between hosts. This type of VLAN is generally used by web hosting companies that own a public IP subnet they have to share with their customers. The goal is to prevent access inter-clients without needing to use a dedicated VLAN (thus subnet) for each client.
In the example below, the first port (3/2) is attached to a firewall. The next four ports (ports 3/5, 3/6, 3/9 and 3/10) are attached to hosts that rely on the firewall to secure traffic between the hosts and the rest of the network. The hosts (3/5, 3/6) that are in a community private VLAN can communicate with one another as well as through the firewall. The other two hosts (3/9, 3/10) are in an isolated VLAN and thus can communicate only through the firewall. The two hosts are secured from communicating with one another even though they are in the same VLAN.
FastIron FCX that runs FCXS07100a.bin (Switch)
FastIron FCX that runs FCXR07100a.bin (Router)
Switch (Private VLANs)
! vlan 7 name private_vlan by port untagged ethe 1/1/7 pvlan type primary pvlan mapping 902 ethe 1/1/7 pvlan mapping 901 ethe 1/1/7 ! vlan 901 name community_vlan by port untagged ethe 1/1/9 to 1/1/10 pvlan type community ! vlan 902 name isolated_vlan by port untagged ethe 1/1/11 pvlan type isolated ! ! pvlan-preference broadcast flood pvlan-preference unknown-unicast flood
! interface ethernet 1/1/7 ip address 192.168.7.1 255.255.255.0 !
The configuration above only works for FastIron 07100 code and below. Please refer to latest configuration guide to make it work for 07200 and do not hesitate to publish your solution! PVLAN functionality doesn't work on 7.2, Brocade is aware as the issue is logged as firmware 7.2.02d defect 364076 PVLAN opened in August 2011.
By default, the private VLAN does not forward broadcast or unknown-unicast packets from outside sources into the private VLAN. The command pvlan-preference changes this default behavior to authorize such traffic and be able to discover hosts behing the Primary port.
Apart from this, you can see that the port 1/1/7 is the Primary port. Community and Isolated private VLANs are mapped to this Primary port. The hosts connected to a Community VLAN can talk to each other without going through the Primary port. The hosts connected to an Isolated VLAN can only talk to the Primary port.