Private VLANs are used to solve VLAN ID limitations by adding a further segmentation of the logical broadcast domain into multiple smaller broadcast subdomains.

A private VLAN is identified by its primary VLAN ID. A primary VLAN ID can have multiple secondary VLAN IDs associated with it. Primary VLANs are Promiscuous, so that ports on a private VLAN can communicate with ports configured as the primary VLAN. Ports on a secondary VLAN can be either Isolated, communicating only with promiscuous ports, or Community, communicating with both promiscuous ports and other ports on the same secondary VLAN.

To use private VLANs between a host and the rest of the physical network, the physical switch connected to the host needs to be private VLAN-capable and configured with the VLAN IDs being used by ESXi for the private VLAN functionality. For physical switches using dynamic MAC+VLAN ID based learning, all corresponding private VLAN IDs must be first entered into the switch's VLAN database.

Create a Private VLAN

Create the necessary private VLANs on the vSphere Distributed Switch to be able to assign distributed ports to participate to a private VLAN.

Procedure

  1. On the vSphere Client Home page, click Networking and navigate to the distributed switch.
  2. On the Configure tab, expand Settings and select Private VLAN .
  3. Click Edit.
  4. To add a primary VLAN, above Primary VLAN ID click the plus sign (+) button.
    The primary private VLAN also appears under Secondary Private VLAN ID.
  5. To add a secondary VLAN, in the right pane click the plus sign (+)button.
  6. From the drop-down menu in the Secondary VLAN type column, select either Isolated or Community.
  7. Click OK.

What to do next

Configure a distributed port group or port to associate traffic with the private VLAN. See Configure VLAN Tagging on a Distributed Port Group or Distributed Port.

Remove a Primary Private VLAN

Remove unused primary VLANs from the configuration of a vSphere Distributed Switch.

When you remove a primary private VLAN, you also remove the associated secondary private VLANs.

Prerequisites

Verify that no port groups are configured to use the primary VLAN and its associated secondary VLANs.

Procedure

  1. On the vSphere Client Home page, click Networking and navigate to the distributed switch.
  2. On the Configure tab, expand Settings and select Private VLAN.
  3. Click Edit.
  4. Select the primary private VLAN to remove.
  5. Click the times sign (x) button above the Primary VLAN ID list.
  6. Click OK.

Remove a Secondary Private VLAN

Remove unused secondary private VLANs from the configuration of a vSphere Distributed Switch.

Prerequisites

Verify that no port groups are configured to use the secondary VLAN.

Procedure

  1. On the vSphere Client Home page, click Networking and navigate to the distributed switch.
  2. On the Configure tab, expand Settings and select Private VLAN.
  3. Click Edit.
  4. Select a primary private VLAN.
    The secondary private VLANs associated with it appear on the right.
  5. Select the secondary private VLAN to remove.
  6. Above the secondary VLAN ID list, click the times sign (x) button and click OK.