39-9
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 39 Configuring Private VLANs About Private VLANs
A packet received on a PVLAN trunk port belongs to the secondary VLAN if the packet is tagged
with a secondary VLAN or if the packet is untagged and the native VLAN on the port is a secondary
VLAN.
A packet received on a PVLAN host or trunk port and assigned to a secondary VLAN is bridged on the
secondary VLAN. Because of this bridging, the secondary VLAN ACL as well as the secondary VLAN
QoS (on input direction) apply.
When a packet is transmitted out of a PVLAN host or trunk port, the packet logically belongs to the
primary VLAN. This relationship applies even though the packet may be transmitted with the secondary
VLAN tagging for PVLAN trunk ports. In this situation, the primary VLAN ACL and the primary VLAN
QoS on output apply to the packet.
Similarly, a packet received on a PVLAN promiscuous access port belongs to primary VLAN.
A packet received on a PVLAN promiscuous trunk port could belong to the primary VLAN or
normal VLAN depending on incoming VLAN.
For traffic flowing in normal VLAN on promiscuous trunk ports, normal VLAN ACL and QoS policies
apply. For traffic flowing in a PVLAN domain, a packet received on a promiscuous port is bridged in
primary VLAN. The primary VLAN ACL and QoS policies apply on input.
For egress traffic on twoway-community host port, the secondary VLAN ACL and secondary VLAN
QoS apply to egress unicast routed traffic stemming from the integrated router port.
When a packet is transmitted out of a promiscuous trunk port, the packet could logically belong to
secondary VLAN if received from a secondary port, or in primary VLAN if bridged from another
promiscuous port. Because we cannot differentiate between both packets, all VLAN QoS policies are
ignored on packets egressing promiscuous trunk ports.
PVLANs and Unicast, Broadcast, and Multicast Traffic
In regular VLANs, devices in the same VLAN can communicate with each other at the Layer 2 level, but
devices connected to interfaces in different VLANs must communicate at the Layer 3 level. In PVLANs,
the promiscuous ports are members of the primary VLAN, while the host ports belong to secondary
VLANs. Because the secondary VLAN is associated to the primary VLAN, members of the these
VLANs can communicate with each other at the Layer 2 level.
In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. PVLAN broadcast forwarding
depends on the port sending the broadcast:
An isolated port sends a broadcast only to the promiscuous ports or trunk ports.
A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same
community VLAN.
A promiscuous port sends a broadcast to all ports in the PVLAN (other promiscuous ports, trunk
ports, isolated ports, and community ports).
Multicast traffic is routed or bridged across private-VLAN boundaries and within a single community
VLAN. Multicast traffic is not forwarded between ports in the same isolated VLAN or between ports in
different secondary VLANs.