Broadcast Traffic In Private Vlans - Cisco Nexus 9000 Series Configuration Manual

Configuring Private VLANs Using NX-OS
If you change the type of a primary VLAN to a normal/user VLAN (by issuing the no private-vlan
Note
primary command), all of the associations under that primary VLAN become nonoperational. However,
if you change the type of the same VLAN back to a primary VLAN from a normal/user VLAN, the
associations under the primary VLAN continue to be nonoperational, unless they are reconfigured under
the primary VLAN after the type change.
In order to change the association between a secondary and primary VLAN, you must first remove the current
association and then add the desired association.

Broadcast Traffic in Private VLANs

Broadcast traffic from ports in a private VLAN flows in the following ways:
• The broadcast traffic flows from all promiscuous ports to all ports in the primary VLAN. This broadcast
traffic is distributed to all ports within the primary VLAN, including those ports that are not configured
with private VLAN parameters.
• The broadcast traffic from all isolated ports is distributed only to those promiscuous ports in the primary
VLAN that are associated to that isolated port.
• The broadcast traffic from community ports is distributed to all ports within the port's community and
to all promiscuous ports that are associated to the community port. The broadcast packets are not
distributed to any other communities within the primary VLAN or to any isolated ports.
Private VLAN Port Isolation
You can use private VLANs to control access to end stations as follows:
• Configure selected interfaces connected to end stations as isolated ports to prevent any communication
at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication
between the servers.
• Configure interfaces connected to default gateways and selected end stations (for example, backup
servers) as promiscuous ports to allow all end stations access to a default gateway.
Private VLANs and VLAN Interfaces
A VLAN interface to a Layer 2 VLAN is also called a switched virtual interface (SVI). Layer 3 devices
communicate with a private VLAN only through the primary VLAN and not through secondary VLANs.
Configure VLAN network interfaces only for primary VLANs. Do not configure VLAN interfaces for secondary
VLANs. VLAN network interfaces for secondary VLANs are inactive while the VLAN is configured as a
secondary VLAN. You will see the following actions if you misconfigure the VLAN interfaces:
• If you try to configure a VLAN with an active VLAN network interface as a secondary VLAN, the
configuration is not allowed until you disable the VLAN interface.
• If you try to create and enable a VLAN network interface on a VLAN that is configured as a secondary
VLAN, that VLAN interface remains disabled and the system returns an error.
Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide, Release 7.x
Private VLAN Overview
49