About Private VLANs
S e n d f e e d b a c k t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
Figure 7-2
Note
The private VLAN traffic flows are unidirectional from the host ports to the promiscuous ports. Traffic
received on primary VLAN enforces no separation and forwarding is done as in normal VLAN.
A promiscuous port can serve only one primary VLAN and multiple secondary VLANs (community and
isolated VLANs). With a promiscuous port, you can connect a wide range of devices as access points to
a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private
VLAN servers from an administration workstation.
In a switched environment, you can assign an individual private VLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate only with a default
gateway to communicate outside the private VLAN.
Associating Primary and Secondary VLANs
For host ports in secondary VLANs to communicate outside the private VLAN, you associate secondary
VLANs to the primary VLAN. If the association is not operational, the host ports (community and
isolated ports) in the secondary VLAN are brought down.
Note
You can associate a secondary VLAN with only one primary VLAN.
For an association to be operational, the following conditions must be met:
•
•
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
7-4
Private VLAN Traffic Flows
Isolated ports
Isolated ports
Primary VLAN
Community A VLAN
Community B VLAN
Isolated VLAN
The primary VLAN must exist and be configured as a primary VLAN.
The secondary VLAN must exist and be configured as either an isolated or community VLAN.
Promiscuous port
Promiscuous port
Community A
Community A
ports
Chapter 7
Configuring Private VLANs
Community B
Community B
ports
OL-16597-01