15-2
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 15 Configuring Private VLANs
Understanding How Private VLANs Work
Private VLAN Domains
The private VLAN feature addresses two problems that service providers encounter when using VLANs:
•
The router supports up to 4096 VLANs. If a service provider assigns one VLAN per customer, the
number of customers that service provider can support is limited.
•
To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which
can result in wasting the unused IP addresses and creating IP address management problems.
Using private VLANs solves the scalability problem and provides IP address management benefits for
service providers and Layer 2 security for customers.
The private VLAN feature partitions the Layer 2 broadcast domain of a VLAN into subdomains. A
subdomain is represented by a pair of private VLANs: a primary VLAN and a secondary VLAN. A
private VLAN domain can have multiple private VLAN pairs, one pair for each subdomain. All VLAN
pairs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates
one subdomain from another (see
Figure 15-1
).
Figure 15-1
Private VLAN Domain
A private VLAN domain has only one primary VLAN. Every port in a private VLAN domain is a
member of the primary VLAN. In other words, the primary VLAN is the entire private VLAN domain.
Secondary VLANs provide Layer 2 isolation between ports within the same private VLAN domain.
There are two types of secondary VLANs:
•
Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the
Layer 2 level.
•
Community VLANs—Ports within a community VLAN can communicate with each other but
cannot communicate with ports in other communities at the Layer 2 level.
116083
Private
VLAN
domain
Private
VLAN
domain
Primary
VLAN
Subdomain
Subdomain
Secondary
community VLAN
Secondary
isolated VLAN
Subdomain
Subdomain
Secondary
community VLAN
Secondary
isolated VLAN