12-2
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter12 Configuring Private VLANs
Understanding Private VLANs
Types of Private VLANs and Private-VLAN Ports
Private VLANs partition a regular VLAN domain into subdomains. A subdomain is represented by a pair
of VLANs: a primary VLAN and a secondary VLAN. A private VLAN can have multiple VLAN pairs,
one pair for each subdomain. All VLAN pairs in a private VLAN share the same primary VLAN. The
secondary VLAN ID differentiates one subdomain from another. See Figure 12-1.
Figure 12-1 Private-VLAN Domain
There are two types of secondary VLANs:
Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the
Layer 2 level.
Community VLANs—Ports within a community VLAN can communicate with each other but
cannot communicate with ports in other communities at the Layer 2 l evel. A community VLAN can
include no more than eight user network interfaces (UNIs).
Private VLANs provide Layer2 isolation between ports within the same private VLAN. Private-VLAN
ports are access ports that are one of these types:
Promiscuous—A promiscuous port belongs to the primary VLAN and can communicate with all
interfaces, including the community and isolated host ports that belong to the secondary VLANs
associated with the primary VLAN.
Note Promiscuous ports must be network node interfaces (NNIs). UNIs cann ot b e configur ed a s
promiscuous ports.
116083
Pr
Pr
ivate
VLAN
VLAN
domain
domain
Private
VLAN
domain
Primary
VLAN
SubdomainSubdomain
Secondary
community VLAN Secondary
isolated VLAN
SubdomainSubdomain
Secondary
community VLAN Secondary
isolated VLAN