Private Vlan Promiscuous Trunks; Private Vlan Isolated Trunks - Cisco nexus 5000 series Configuration Manual

Configuring Private VLANs
You can associate a secondary VLAN with only one primary VLAN.
Note
For an association to be operational, the following conditions must be met:
• The primary VLAN must exist and be configured as a primary VLAN.
• The secondary VLAN must exist and be configured as either an isolated or community VLAN.
Use the show vlan private-vlan command to verify that the association is operational. The switch does
Note
not display an error message when the association is nonoperational.
If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become
inactive. Use the no private-vlan command to return the VLAN to the normal mode. All primary and secondary
associations on that VLAN are suspended, but the interfaces remain in PVLAN mode. When you convert the
VLAN back to PVLAN mode, the original associations are reinstated.
If you enter the no vlan command for the primary VLAN, all PVLAN associations with that VLAN are
deleted. However, if you enter the no vlan command for a secondary VLAN, the PVLAN associations with
that VLAN are suspended and are restored when you recreate the specified VLAN and configure it as the
previous secondary VLAN.
In order to change the association between a secondary and primary VLAN, you must first remove the current
association and then add the desired association.

Private VLAN Promiscuous Trunks

A promiscuous trunk port can carry traffic for several primary VLANs. Multiple secondary VLANs under a
given primary VLAN can be mapped to a promiscuous trunk port. Traffic on the promiscuous port is received
and transmitted with a primary VLAN tag.

Private VLAN Isolated Trunks

An isolated trunk port can carry traffic for multiple isolated PVLANs. Traffic for a community VLAN is not
carried by isolated trunk ports. Traffic on isolated trunk ports is received and transmitted with an isolated
VLAN tag. Isolated trunk ports are intended to be connected to host servers.
To support isolated PVLAN ports on a Cisco Nexus Fabric Extender, the Cisco Nexus device must prevent
communication between the isolated ports on the FEX; all forwarding occurs through the switch.
Caution You must disable all the FEX isolated trunk ports before configuring PVLANs on the FEX trunk ports.
If the FEX isolated trunk ports and the FEX trunk ports are both enabled, unwanted network traffic might
occur.
For unicast traffic, you can prevent such a communication without any side effects.
For multicast traffic, the FEX provides replication of the frames. To prevent communication between isolated
PVLAN ports on the FEX, the switch prevents multicast frames from being sent back through the fabric ports.
OL-25842-01
Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.1(3)N1(1)
Private VLAN Promiscuous Trunks
55