796 | Private VLANs (PVLAN)w w w . d e l l . c o m | s u p p o r t . d e l l . c o m • Ports in a community VLAN can communicate with each other.• Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN.• A community VLAN can only contain ports configured as host.Isolated VLAN — An isolated VLAN is a type of secondary VLAN in a primary VLAN:• Ports in an isolated VLAN cannot talk directly to each other.• Ports in an isolated VLAN can only communicate with promiscuous ports in the primary VLAN.• An isolated VLAN can only contain ports configured as host.Primary VLAN—A primary VLAN is the base VLAN of a private VLAN:• A switch can have one or more primary VLANs, and it can have none.• A primary VLAN has one or more secondary VLANs.• A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs inthe switch.• A primary VLAN has one or more promiscuous ports.• A primary VLAN might have one or more trunk ports, or none.Secondary VLAN — A secondary VLAN is a subdomain of the primary VLAN. There are two types ofsecondary VLAN — community VLAN and isolated VLAN.PVLAN port types:• Community port: A community port is, by definition, a port that belongs to a communityVLAN and isallowed to communicate with other ports in the same community VLAN and with promiscuous ports.• Host port: A host port, in the context of a private VLAN, is a port in a secondary VLAN:• The port must first be assigned that role in INTERFACE mode.• A port assigned the host role cannot be added to a regular VLAN.• Isolated port: An isolated port is, by definition, a port that, in Layer 2, can only communicate withpromiscuous ports that are in the same PVLAN.• Promiscuous port: A promiscuous port is, by definition, a port that is allowed to communicate with anyother port type in the PVLAN:• A promiscuous port can be part of more than one primary VLAN.• A promiscuous port cannot be added to a regular VLAN.• Trunk port: A trunk port, by definition, carries traffic between switches:• A trunk port in a PVLAN is always tagged.• Primary or secondary VLAN traffic is carried by the trunk port in tagged mode. The tag on thepacket helps identify the VLAN to which the packet belongs.• A trunk port can also belong to a regular VLAN (non-private VLAN).Each of the port types can be any type of physical Ethernet port, including port channels (LAGs). Fordetails on port channels, see Port Channel Interfaces on page 482 in Chapter 23, Interfaces.For an introduction to VLANs, see Chapter 29, Layer 2.