Understanding vSphere Private VLANs For Fun and Profit

Right on the heels of my session on the Networking section (Objective 2) of the vBrownBag studies series, this post will go over Private VLANs. For those that are going “What is a vBrownBag?” please do your self a huge favor and check it out – this is a superb series run by Cody Bunch and Damian Karlson that has been literally going on for years. It is a great educational platform with a number of rockstar speakers.

I have no clue how many turtles you can fit on a rock. šŸ™

While I’m not writing this as some sort of greater VCAP-DCA study guide, I do think it ties in nicely to a number of VMTN forum questions that I’ve seen and my latest splurge of networking related posts. Also, it gives me a great excuse to do some mini-infographic work, which I really enjoy.

Note: One thing I do want to emphasis is that the Private VLAN concept is not limited to vSphere. It’s a networking technique that has been employed on switches for quite some time. However, it is available within vSphere as an added feature when using a vSphere Distributed Switch.

What Makes A VLAN “Private”

The gist is that you have a logicalĀ encapsulationĀ of VLANs within a VLAN. Raise your hand if that made you think of the Xzibit “Yo dawg…” meme.

The infographic below details this a bit more. The blue Promiscuous VLAN is a Primary Private VLAN. It is an externally facing VLAN that is accessible to the external network, and needs to be an available VLAN that can be used by your network.

The Promiscuous VLAN acts as a gateway into the next tier of VLANs called Secondary Private VLANs. These are only reachable through the Promiscuous VLAN. As you may have already guessed, it’s quite common to put a router or multilayer switching virtual machine / appliance in the Promiscuous VLAN so that it can appropriately route traffic into the Secondary Private VLANs. It is also possible to simply have a multi homed virtual machine that uses a vNIC in a Secondary Private VLAN to reach other virtual machines.

Secondary Private VLANs

The Secondary Private VLANs are further broken up into two types: Community and Isolated.

A Community Secondary Private VLAN is one that can talk amongst itself, but can not directly contact any other Secondary Private VLANs. In the diagram above, the white bus connecting the 4 VM cubes denote that each VM can talk to each other, or to the Promiscuous VLAN.

The Isolated Secondary Private VLAN is unique – you can only have one per Private VLAN. VMs inside the Isolated VLAN can not even talk to each other; they can only communicate directly with the Promiscuous Primary VLAN.

Here is a screenshot of the Private VLAN setup on a vDS. I’ve highlighted each VLAN type with a colored box to match the infographic.

Physical Switch Compatibility Required

When you use a Private VLAN with VMs on multiple hosts, you must be aware that your physical switches must also support Private VLANs. Otherwise, the traffic may not be able to reach the other hosts, as the traffic will have to leave one host to reach another and may be discarded at the physical switching layer.

Fortunately, support for PVLANs is rather common.


While I don’t see PVLANs in production that often, I have been assured that folks are using them. Realistically, I can see a some use cases for them where you need to fence off applications (perhaps pre-production?) or wish to have it serve as a method of security to logically segment your virtual machines. This, of course, assumes you trust VLANs as a method of security, which is something I see debated off and on, but mostly tend to trust for my own uses.