The present invention relates to computer networks, particularly to private virtual local area networks (PVLAN), and more particularly, to a PVLAN switch and method of its connecting to a non-PVLAN device.
As known in the field of computer network, a single Layer Two (L2) network, may be partitioned into a plurality of broadcast domains which are isolated from each other, so that data frames may be transferred between them only via one or more routers. Such a domain is called a virtual local area network (VLAN). Currently the most common protocol for configuring a VLAN is IEEE 802.1Q, according to which each Ethernet frame is added with a VLAN tag, which includes the identification (ID) of the VLAN to which the frame belongs, so that devices such as switches may determine the VLAN to which the frame belongs according to the VLAN ID.
PVLAN is a VLAN-based computer networking technology for implementing communication isolation among ports. PVLAN relates to several concepts and understanding these concepts will facility better understanding of the present invention. The following will introduce the involved concepts one by one.
PVLAN includes three different types of sub-VLANs, which are primary VLANs, community VLANs, and isolated VLANs. Community VLANs and isolated VLANs are collectively called secondary VLANs. In the three types of VLANs included in a PVLAN, one of the VLANs may communicate with all the other VLANs, and it is called a primary VLAN. Usually the primary VLAN may also be used to represent the entire PVLAN. If all the ports in a VLAN may communicate with each other and also communicate with a port in the primary VLAN, this VLAN is called a community VLAN. If all the ports in a VLAN cannot communicate with each other and may only communicate with a port in the primary VLAN, this VLAN is called an isolated VLAN. In a PVLAN, a community VLAN and an isolated VLAN are subordinate to the primary VLAN, or in other words, the community VLAN and the isolated VLAN are related to the primary VLAN. This is the reason why the community VLAN and the isolated VLAN are called secondary VLANs.
The ports included in a primary VLAN are called promiscuous ports, which are usually connected to uplink routers, firewalls and servers. The ports included in a community VLAN are called community ports. The ports included in an isolated VLAN are called isolated ports. Community ports and isolated ports are also called host ports, because these ports are usually connected to downlink hosts. A PVLAN switch may include several promiscuous ports, several community ports and several isolated ports.
The communication isolation rules in a PVLAN are as follows:
1) The promiscuous ports may communicate with all the community ports and isolated ports.
2) The community ports may communicate with all the ports in the same community VLAN, and may also communicate with the promiscuous ports. However, they cannot communicate with the ports in a different community VLAN.
3) The isolated ports may only communicate with the promiscuous ports.
According to the above rules, flows may be isolated within the switch.
When ports are in a plurality of VLANs simultaneously, they are called trunk ports. That is, promiscuous ports simultaneously in a plurality of primary VLANs are called trunk promiscuous ports; community ports simultaneously in a plurality of community VLANs are called trunk community ports; isolated ports simultaneously in a plurality of isolated VLANs are called trunk isolated ports; and trunk community ports and trunk isolated ports are also collectively called trunk host ports.
In the present invention, references to promiscuous ports, community ports, isolated ports, trunk promiscuous ports, trunk community ports, and trunk isolated ports are meant to be PVLAN promiscuous ports, PVLAN community ports, PVLAN isolated ports, PVLAN trunk promiscuous ports, PVLAN trunk community ports, and PVLAN trunk isolated ports. The omission of the prefix PVLAN is only for convenience.
Currently there are two types of PVLAN trunk ports, i.e., the above-mentioned PVLAN trunk promiscuous ports and PVLAN trunk isolated ports. When a frame from a PVLAN trunk isolated port is to be transmitted from a PVLAN trunk promiscuous port, the 802.1Q tag of the frame will be rewritten with a proper primary VLAN ID. When a PVLAN trunk promiscuous port receives a frame from the primary VLAN, the 802.1Q tag of the primary VLAN ID carried by the frame will be re-written with the isolated VLAN ID.
Thus a PVLAN trunk promiscuous port may simultaneously transmit information from a plurality of primary VLANs from the PVLAN switch to a non-PVLAN device, and a PVLAN isolated port may simultaneously transmit information from a plurality of isolated VLANs to a non-PVLAN device. However, the two current PVLAN trunk ports cannot simultaneously transmit information from a plurality of community VLAN from the PVLAN switch to a non-PVLAN device.
It can be seen that an improved PVLAN switch and a method of its connecting to a non-PVLAN device may be advantageous in the field, so that during deployment, even if the PVLAN switch is connected to a non-PVLAN device, community VLAN information may be transmitted from the PVLAN switch to the non-PVLAN device.