90 Implementing IBM System Networking 10Gb Ethernet Switches
Private VLAN ports
Private VLAN ports are defined as follows:
Promiscuous: A promiscuous port is an external port that belongs to the primary VLAN.
The promiscuous port can communicate with all the interfaces, including ports in the
secondary VLANs (Isolated VLAN and Community VLANs). Each promiscuous port can
belong to only one Private VLAN.
Isolated: An isolated port is a host port that belongs to an isolated VLAN. Each isolated
port has complete Layer 2 separation from other ports within the same private VLAN
(including other isolated ports), except for the promiscuous ports.
– Traffic sent to an isolated port is blocked by the Private VLAN, except the traffic from
promiscuous ports.
– Traffic received from an isolated port is forwarded only to promiscuous ports.
Community: A community port is a host port that belongs to a community VLAN.
Community ports can communicate with other ports in the same community VLAN, and
with promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces
in other communities and from isolated ports within the Private VLAN.
Only external ports are promiscuous ports. Only internal ports may be isolated or
community ports.
2.8.2 Securing administration
In this section, we present the different features and protocols used to secure
administrative access.
Secure Shell and Secure Copy
Because using Telnet does not provide a secure connection for managing an IBM System
Networking switch, Secure Shell (SSH) and Secure Copy (SCP) features are included for IBM
System Networking switch management. SSH and SCP use secure tunnels to encrypt and
secure messages between a remote administrator and the switch.
SSH is a protocol that enables remote administrators to log on securely to the switch over a
network to execute management commands.
SCP is typically used to copy files securely from one machine to another. SCP uses SSH for
encryption of data on the network. On a switch, SCP is used to download and upload the
switch configuration through secure channels.
Although SSH and SCP are disabled by default, enabling and using these features provides
the following benefits:
Identifying the administrator using a user name and password
Authentication of remote administrators
Authorization of remote administrators
Determining the permitted actions and customizing service for individual administrators
Encryption of management messages
Encrypting messages between the remote administrator and switch
Secure copy support
Get Implementing IBM System Networking 10Gb Ethernet Switches now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
