34-2
Software Configuration Guide—Release 12.2(25)SG
OL-76590-03
Chapter34 Configuring Private VLANs
Overview of PVLANs
Isolated and community VLANs are called secondary VLANs. You can extend PVLANs across multiple
devices by trunking the primary, isolated, and community VLANs to other devices that support
PVLANs.
In a switched environment, you can assign an individual PVLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate with a default
gateway only to gain access outside the PVLAN. With end stations in a PVLAN, you can do the
following:
Designate which ports will be connected to end stations. For example, interfaces connected to
servers as isolated ports prevent any communication at Layer 2.
Designate the interfaces to which the default gateway(s) and selected end stations (for example,
backup servers or LocalDirector) are attached as promiscuous ports to allow all end stations access.
Reduce VLAN and IP subnet consumption, because you can prevent traffic between end stations
even though they are in the same VLAN and IP subnet.
Note A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated
or many community VLANs.
With a promiscuous port, you can connect a wide range of devices as access points to a PVLAN. For
example, you can connect a promiscuous port to the server port of a LocalDirec tor to connect an isolated
VLAN or a number of community VLANs to the server. LocalDirector can load balance the servers
present in the isolated or community VLANs, or you can use a promiscuous port to monitor or back up
all the PVLAN servers from an administration workstation.
PVLAN Trunks
A PVLAN trunkport can carry multiple secondary and non-PVLAN s. Packets are received and
transmitted with secondary or regular VLAN tags on the PVLAN trunk ports.
PVLAN trunk port behavior is the same as PVLAN isolated or commu nity port behavior, except that
PVLANs can tag packets and carry multiple secondary and regular VLANs.
Note Only IEEE 802.1q encapsulation is supported.
PVLANs and VLAN ACL/QoS
PVLAN ports use primary and secondary VLANs, as follows:
A packet received on a PVLAN host port belongs to the secondary VLAN.
A packet received on a PVLAN trunk port belongs to the secondary VLAN if the packet is tagged
with a secondary VLAN or if the packet is untagged and the native VLAN on the port is a secondary
VLAN.
A packet received on a PVLAN host or trunk port and assigned to a secondary VL AN is bridged on the
secondary VLAN. Because of this bridging, the secondary VLAN ACL as well as the secondary VLAN
QoS (on input direction) apply.