Configuring Private VLANs
• Promiscuous—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate
• Isolated—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
• Community—A community port is a host port that belongs to a community secondary VLAN. Community
Note
Because trunks can support the VLANs that carry traffic between promiscuous, isolated, and community
ports, the isolated and community port traffic might enter or leave the switch through a trunk interface.
Primary, Isolated, and Community Private VLANs
Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:
• Primary VLAN— The primary VLAN carries traffic from the promiscuous ports to the host ports, both
• Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream
• Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic from the
with all interfaces, including the community and isolated host ports, that belong to those secondary
VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several
promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs or
no secondary VLANs that are associated to that port. You can associate a secondary VLAN to more
than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same
primary VLAN. You may want to do this for load-balancing or redundancy purposes. You can also have
secondary VLANs that are not associated to any promiscuous port.
A promiscuous port can be configured either as an access port or as a trunk port.
complete isolation from other ports within the same private VLAN domain, except that it can communicate
with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You
can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated
from all other ports in the isolated VLAN.
An isolated port can be configured as either an access port or a trunk port.
ports communicate with other ports in the same community VLAN and with associated promiscuous
ports. These interfaces are isolated from all other interfaces in other communities and from all isolated
ports within the private VLAN domain.
A community port must be configured as an access port. A community VLAN must not be enabled on
an isolated trunk.
isolated and community, and to other promiscuous ports.
from the hosts toward the promiscuous ports. You can only configure one isolated VLAN in a private
VLAN domain. An isolated VLAN can have several isolated ports. The traffic from each isolated port
also remains completely separate.
community ports to the promiscuous port and to other host ports in the same community. You can
configure multiple community VLANs in a private VLAN domain. The ports within one community
can communicate, but these ports cannot communicate with ports in any other community or isolated
VLAN in the private VLAN.
Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.0(3)N1(1)
Primary, Isolated, and Community Private VLANs
57