Private Vlan Ports - Cisco Nexus 7000 Series Configuration Manual

Configuring Private VLANs Using NX-OS
VLAN domain can have multiple private VLAN pairs, one pair for each subdomain. All VLAN pairs in a
private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain
from another.
A private VLAN domain has only one primary VLAN.
Note
Secondary VLANs provide Layer 2 isolation between ports within the same private VLAN. The following
two types are secondary VLANs within a primary VLAN:
• Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2
level.
• Community VLANs—Ports within a community VLAN can communicate with each other but cannot
communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.

Private VLAN Ports

Both community and isolated private VLAN ports are labeled as PVLAN host ports. A PVLAN host port
Note
is either a community PVLAN port or an isolated PVLAN port depending on the type of secondary VLAN
with which it is associated.
The types of private VLAN ports are as follows:
• Promiscuous port—A promiscuous port belongs to the primary VLAN. The promiscuous port can
communicate with all interfaces, including the community and isolated host ports, that belong to those
secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can
have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary
VLANs or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more
than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same
primary VLAN. You may want to do this association for load balancing or redundancy purposes. You
can also have secondary VLANs that are not associated to any promiscuous port, but these secondary
VLANs cannot communicate to the Layer 3 interface.
• Promiscuous trunk—Beginning with Cisco NX-OS Release 5.0(2) and Cisco DCNM Release 5.1(1),
on the Cisco Nexus 7000 Series devices, you can configure a promiscuous trunk port to carry traffic for
multiple primary VLANs. You map the private VLAN primary VLAN and either all or selected associated
VLANs to the promiscuous trunk port. Each primary VLAN and one associated and secondary VLAN
is a private VLAN pair, and you can configure a maximum of 16 private VLAN pairs on each promiscuous
trunk port.
Note
• Isolated port—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
complete Layer 2 isolation from other ports within the same private VLAN domain, except that it can
communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except
traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous
Private VLAN promiscuous trunk ports carry traffic for normal VLANs as well as for
primary private VLANs.
Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.x
Private VLAN Overview
55