PVLAN structure

Primary VLAN

The primary VLAN is the standard VLAN that is partitioned to create the PVLAN. The primary VLAN delivers traffic downstream from the router to all mapped hosts, and contains the uplink from the connected devices to the router.

The secondary VLANs must use the primary VLAN to communicate with other secondary VLANs or to VLANs outside the PVLAN. This communication occurs through one or more promiscuous ports associated with the primary VLAN.

By default, all ports in the primary VLAN act as promiscuous ports.

Primary VLAN in PVLAN

Secondary VLANs

Isolated VLAN

Ports in an isolated VLAN can communicate using Layer 2 with the promiscuous ports of the primary VLAN only. The ports that are associated with an isolated VLAN do not have Layer 2 connectivity between each other, but hosts can communicate with each other using a Layer 3 device.

Isolated VLAN communications
Community VLAN

The ports associated with a community VLAN can communicate using Layer 2 with each other and with the primary VLAN, but not directly with ports in other community VLANs.

For one community VLAN port to communicate with a different community VLAN port, the port traffic must go through the Layer 3 device.

Community VLAN communications