Create a Private VLAN

Before you begin

  • To create a private VLAN, you must configure the VLAN type to private and configure the private VLAN port type.

  • The ports you add to a private VLAN must have a port type of isolated, promiscuous, or trunk.

Procedure

  1. In the navigation pane, expand Configuration > VLAN.
  2. Select VLANs.
  3. On the Basic tab, select Insert.
  4. For Id, type an unused VLAN ID, or use the ID provided.
  5. Optional: For Name, type the VLAN name, or use the name provided.
  6. Optional: For Color Identifier, select a color from the list, or use the color provided.
  7. Optional: For MstpInstance, select an msti instance from the list.
  8. For Type, select private.
  9. For PortMembers, select the ellipsis (...).
  10. Select the ports to add as member ports.

    The ports that are selected are recessed, while the non-selected ports are not recessed. Port numbers that are dimmed cannot be selected as VLAN port members.

  11. Select OK.
  12. For Secondary Vlan, type an unused VLAN ID.
  13. Select Insert.
  14. In the Device Physical View, select the Private VLAN port members.
  15. In the navigation pane, expand Configuration > Edit > Port.
  16. Select General.
  17. Select the VLAN tab.
  18. For PrivateVlanPortType, select the port type.
  19. Select Apply.

Basic Field Descriptions

Use the data in the following table to use the Basic tab.

Name

Description

Id

Specifies the VLAN ID in the range of 2 to 4059. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1. By default, the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998.

Name

Specifies the name of the VLAN.

IfIndex

Specifies the logical interface index assigned to the VLAN.

Color Identifier

Specifies a proprietary color scheme to associate a color with the VLAN. Color does not affect how frames are forwarded.

Type

Specifies the type of VLAN:

  • byPort

  • byProtocolId

  • spbm-bvlan

  • private

MstpInstance

Identifies the MSTP instance.

VrfId

Indicates the Virtual Router to which the VLAN belongs.

VrfName

Indicates the name of the Virtual Router to which the VLAN belongs.

PortMembers

Specifies the slot/port of each VLAN member. The system displays the sub-port only for channelized ports.

ActiveMembers

Specifies the slot/port of each VLAN member. The system displays the sub-port only for channelized ports.

StaticMembers

Specifies the slot/port of each static member of a policy-based VLAN. The system displays the sub-port only for channelized ports.

NotAllowToJoin

Specifies the slot/ports that are never allowed to become a member of the policy-based VLAN. The system displays the sub-port only for channelized ports.

ProtocolId

Specifies the network protocol for protocol-based VLANs. This value is taken from the Assigned Numbers of remote function call (RFC).

If the VLAN type is port-based, none is displayed in the Basic tab ProtocolId field.

AgingTime

Specifies the timeout period, in seconds, to age out dynamic members of this VLAN. This field only applies to policy-based VLANs.

The default is 600.

Clear Secondary IPs

Removes all secondary IP addresses on a VLAN simultaneously.

To remove specific secondary IP addresses from a VLAN, use the Secondary IP Addresses tab (Configuration > VLAN > VLANs > Basic > IP). For more information, see Secondary IP Addresses Field Descriptions.

Note

Note

If you or another user changes the name of an existing VLAN using the VLAN Basic tab (or using CLI), the system does not display the new name initially in EDM. To display the updated name, perform one of the following actions:

  • Refresh your browser to reload EDM.

  • Log out of EDM and log in again to restart EDM.

  • Select Refresh in the VLAN Basic tab toolbar. If the system displays the old VLAN name in other tabs, select Refresh on those tabs as well.

VLAN field descriptions

Use the data in the following table to use the VLAN tab.

Name

Description

PerformTagging

If checked, this port is a tagged (Trunk) Port. It can belong to multiple port-based VLANs and a VLAN tag is inserted in every frame it transmits. If it is not checked, the port is an untagged (Access) port. The default is disabled.

VlanIdList

Identifies which VLANs this port is assigned.

DiscardTaggedFrames

If selected, and the port is untagged (an access port), tagged frames received on the port are discarded by the forwarding process. If clear, tagged frames are processed normally. The default is disabled.

DiscardUntaggedFrames

If selected and the port is tagged (a trunk port), untagged frames received on the port are discarded by the forwarding process. If clear, untagged frames are processed normally. The default is disabled.

UntagDefaultVLAN

If selected, even if the port is tagged (a trunk port), frames forwarded to the default VLAN for the port are not tagged. The default is disabled.

UntaggedVlanIds

Identifies which VLANs this port is associated with as untagged.

DefaultVlanId

Specifies the VLAN ID assigned to untagged frames received on this trunk port that match no policy-based VLAN to which the port belongs.

SpoofDetect

Enables or disables spoof detection on the specified port.

Protocol

Enables protocol-based VLAN on the port. This feature is always enabled.

PrivateVlanPortType

Specifies the port type for a Private VLAN. If not specified, the port type defaults to None.

  • Isolated: An Isolated port can belong only to one private VLAN

  • Promiscuous: A Promiscuous port can belong to many private VLANs.

  • Trunk: A Trunk port can belong to many private VLANs, is tagged, and can also belong to non-private VLANs.

Origin

Specifies the origin of VLAN configuration on the port, either manually configured through CLI or EDM, or dynamically configured through Auto-sense.