Primary, Isolated, And Community Private Vlans - Cisco Nexus 7000 Series Configuration Manual

Private VLAN Overview
ports. You can have more than one isolated port in a specified isolated VLAN, and each port is completely
isolated from all other ports in the isolated VLAN.
• Isolated or secondary trunk—Beginning with Cisco NX-OS Release 5.0(2) and Cisco DCNM Release
5.1(1) on the Cisco Nexus 7000 Series devices, you can configure an isolated trunk port to carry traffic
for multiple isolated VLANs. Each secondary VLAN on an isolated trunk port must be associated with
a different primary VLAN. You cannot put two secondary VLANs that are associated with the same
primary VLAN on an isolated trunk port. Each primary VLAN and one associated secondary VLAN is
a private VLAN pair, and you can configure a maximum of 16 private VLAN pairs on each isolated
trunk port.
• Community port—A community port is a host port that belongs to a community secondary VLAN.
Community ports communicate with other ports in the same community VLAN and with associated
promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities
and from all isolated ports within the private VLAN domain.
Note Because trunks can support the VLANs that carry traffic between promiscuous, isolated, and community
ports, the isolated and community port traffic might enter or leave the device through a trunk interface.

Primary, Isolated, and Community Private VLANs

Because the primary VLAN has the Layer 3 gateway, you associate secondary VLANs with the primary
VLAN in order to communicate outside the private VLAN. Primary VLANs and the two types of secondary
VLANs, isolated VLANs and community VLANs, have these characteristics:
• Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the (isolated and
community) host ports and to other promiscuous ports.
• Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream
from the hosts toward the promiscuous ports and the Layer 3 gateway. You can configure multiple
isolated VLANs in a private VLAN domain, and all the traffic remains isolated within each one. In
addition, each isolated VLAN can have several isolated ports, and the traffic from each isolated port
also remains completely separate.
• Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the
community ports to the promiscuous port gateways and to other host ports in the same community. You
can configure multiple community VLANs in a private VLAN domain. The ports within one community
can communicate, but these ports cannot communicate with ports in any other community or isolated
VLAN in the private VLAN.
This figure shows the Layer 2 traffic flows within a primary, or private VLAN, along with the types of VLANs
and types of ports.
Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.x
56
Configuring Private VLANs Using NX-OS