Users Guide
Example PVLAN uses:
● Guest access management—The network administrator in a hotel uses an isolated VLAN for providing guest users access to
the Internet. Using isolated VLANs restricts direct access between the guest users.
● Service provider networks—Using PVLAN, a service provider can provide L2 security for customers and use IP addresses
more efficiently. For example, the service provider can have a separate community VLAN per customer. They can use the
same IP subnet address space for all community and isolated VLANs associated with the same primary VLAN.
Community VLANs are useful in the service provider environment because multiple customers prefer to have servers in
strictly separated customer-specific groups. For example, a community VLAN could include a set of servers owned by a
customer. These servers could communicate with each other, but would be isolated from other customers. Another
customer might have a different set of servers in a different community VLAN. Some customers might want an isolated
VLAN, which has one or more ports that are also isolated from each other.
PVLAN components
A PVLAN domain consists of a primary VLAN and one or more secondary VLANs. Traffic within a PVLAN is L2 communication.
The types of VLANs in a PVLAN include:
● Primary VLAN—The primary VLAN is the base VLAN of a PVLAN domain.
○ The primary VLAN ID is used as the PVLAN domain ID.
○ A switch can have one or more primary VLANs, or it can have none.
○ A primary VLAN can have one or more secondary VLANs.
○ A primary VLAN can have any number of community VLANs and a single isolated VLAN associated with it.
○ If a primary VLAN does not have any secondary VLAN associated with it, it functions as a regular VLAN.
○ A primary VLAN can have one or more promiscuous ports.
○ Promiscuous ports can be tagged or untagged ports.
○ Any device that is connected to a promiscuous port can communicate with all the ports in the primary and secondary
VLANs.
● Secondary VLANs—A secondary VLAN can be associated with only one primary VLAN. The following are the types of
secondary VLANs:
○ Community VLAN—A type of secondary VLAN where:
■ Hosts that are connected to ports in a community VLAN can communicate with each other.
■ Hosts that are connected to ports in a community VLAN can communicate with all promiscuous ports in the primary
VLAN.
■ Hosts that are connected to ports in a community VLAN cannot communicate with ports in an isolated or any other
secondary VLANs.
■ There can be multiple community VLANs within a single PVLAN domain.
○ Isolated VLAN—A type of secondary VLAN where:
■ Hosts that are connected to ports in an isolated VLAN cannot communicate directly with each other.
■ Hosts that are connected to ports in an isolated VLAN can only communicate with promiscuous ports in the primary
VLAN.
NOTE: You cannot configure the default VLAN as a primary or secondary VLAN.
PVLAN port types include:
● Promiscuous port—A member of a primary VLAN:
○ A promiscuous port can communicate with any other port in the PVLAN.
○ It can be a member of one or more primary VLANs.
○ It can be a member of a regular VLAN.
● Community port—A port that belongs to a community VLAN:
○ A community port can communicate with all other ports in the same community VLAN.
○ It can communicate with the promiscuous ports in the primary VLAN.
● Isolated port—A port that belongs to an isolated VLAN:
○ An isolated port can only communicate with the promiscuous ports that are in the same PVLAN.
○ There can be multiple isolated ports within an isolated VLAN. These ports cannot communicate with each other or with
other community ports.
● PVLAN trunk port—A PVLAN trunk port extends the PVLAN domain across switches. It carries VLAN traffic across
switches:
○ A regular L2 switch trunk port associated with PVLANs is called a PVLAN trunk port.
Layer 2
663