Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)
Send feedback to nx5000-docfeedback@cisco.com
7-4
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
OL-16597-01
Chapter 7 Configuring Private VLANs
About Private VLANs
Figure 7-2 Private VLAN Traffic Flows
Note The private VLAN traffic flows are unidirectional from the host ports to the promiscuous ports. Traffic
received on primary VLAN enforces no separation and forwarding is done as in normal VLAN.
A promiscuous port can serve only one primary VLAN and multiple secondary VLANs (community and
isolated VLANs). With a promiscuous port, you can connect a wide range of devices as access points to
a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private
VLAN servers from an administration workstation.
In a switched environment, you can assign an individual private VLAN and associated IP subnet to each
individual or common group of end stations. The end stations need to communicate only with a default
gateway to communicate outside the private VLAN.
Associating Primary and Secondary VLANs
For host ports in secondary VLANs to communicate outside the private VLAN, you associate secondary
VLANs to the primary VLAN. If the association is not operational, the host ports (community and
isolated ports) in the secondary VLAN are brought down.
Note You can associate a secondary VLAN with only one primary VLAN.
For an association to be operational, the following conditions must be met:
• The primary VLAN must exist and be configured as a primary VLAN.
• The secondary VLAN must exist and be configured as either an isolated or community VLAN.
Primary VLAN
Community A VLAN
Community B VLAN
Isolated VLAN
Community A
Isolated ports
Community B
Promiscuous port
Community A
ports
Isolated ports
Community B
ports
Promiscuous port
182773