Understanding Private Vlan Ports - Cisco N5010P-N2K-BE Software Configuration Manual

Chapter 7 Configuring Private VLANs
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m

Understanding Private VLAN Ports

The types of private VLAN ports are as follows:
•
•
•
Because trunks can support the VLANs carrying traffic between promiscuous, isolated, and community
Note
ports, the isolated and community port traffic might enter or leave the switch through a trunk interface.
Understanding Primary, Isolated, and Community Private VLANs
Primary VLANs and the two types of secondary VLANs (isolated and community) have these
characteristics:
•
•
•
Figure 7-2
ports.
OL-16597-01
Promiscuous—A promiscuous port belongs to the primary VLAN. The promiscuous port can
communicate with all interfaces, including the community and isolated host ports, that belong to
those secondary VLANs associated to the promiscuous port and associated with the primary VLAN.
You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have
several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a
secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary
VLANs are within the same primary VLAN. You may want to do this for load-balancing or
redundancy purposes. You can also have secondary VLANs that are not associated to any
promiscuous port.
Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
complete isolation from other ports within the same private VLAN domain, except that it can
communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports
except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to
promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each
port is completely isolated from all other ports in the isolated VLAN.
Community—A community port is a host port that belongs to a community secondary VLAN.
Community ports communicate with other ports in the same community VLAN and with associated
promiscuous ports. These interfaces are isolated from all other interfaces in other communities and
from all isolated ports within the private VLAN domain.
Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the host ports,
both isolated and community, and to other promiscuous ports.
Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic
upstream from the hosts toward the promiscuous ports. You can configure multiple isolated VLANs
in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can
have several isolated ports, and the traffic from each isolated port also remains completely separate.
Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from
the community ports to the promiscuous port and to other host ports in the same community. You
can configure multiple community VLANs in a private VLAN domain. The ports within one
community can communicate, but these ports cannot communicate with ports in any other
community or isolated VLAN in the private VLAN.
shows the traffic flows within a private VLAN, along with the types of VLANs and types of
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
About Private VLANs
7-3