Private VLANs w/ VMware vDS and Cisco Nexus 5000: A Configuration Reference

When configuring the networks of a virtualized environment, private VLANs expand the functionality of a standard VLAN.  This article describes the configuration of PVLANs from both the VMware and Cisco perspectives.  The purpose of this article is to provide a brief configuration overview.  It’s likely you already know what PVLANs are and how they work, so I won’t go into much detail there.  For more information about VLANs and PVLANs, check out Cisco’s Securing Networks with Private VLANs and VLAN Access Control Lists.

Usage Scenarios

  1. DMZ security – Servers running in a DMZ can be isolated from one another. Should a DMZ guest be compromised, the guest is unable to communicate with any other guest in the the DMZ (given each are a part of an isolated PVLAN)
  2. Hosted cloud infrastructure – A customer environment (consisting of multiple guests) in a community PVLAN are able to communicate amongst themselves, but cannot communicate with a different community PVLAN
  3. Overcome standard VLAN limitations – While PVLANs exist with their own set of limitations, private VLANs greatly extend the functionality and usefulness of a standard VLAN

Configuration Overview

vlan 2410 int: (primary 2410, secondary 2411)
vlan 2412 int: (primary 2412, secondary 2413)
vlan 2411 – isolated
vlan 2413 – community
bperove-vm1: – dvPortGroup1 – primary 2410, secondary 2411
bperove-vm2: – dvPortGroup1 – primary 2410, secondary 2411
bperove-vm3: – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm4: – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm5: – dvPortGroup2 – primary 2412, secondary 2413
bperove-vm6: – dvPortGroup3 – primary 2412, secondary 2412

Configuration of VMware vDS (DVS)

CDP information for vmnic2

CDP information for vmnic3

dvSwitch Settings

dvPortGroup Settings

VLAN Configuration

vlan 2410
  private-vlan primary
  private-vlan association 2411
vlan 2411
  private-vlan isolated
vlan 2412
  private-vlan primary
  private-vlan association 2413
vlan 2413
  private-vlan community

Interface Configuration

interface Ethernet1/19
  description bperove - bs-tse-i127 - vmnic2
  switchport mode trunk
  switchport trunk allowed vlan 2410-2411

interface Ethernet1/20
  description bperove - bs-tse-i127 - vmnic3
  switchport mode trunk
  switchport trunk allowed vlan 2412-2413

Communication logic

vm1 can ping vlan 2410 int @, but cannot ping vm2
vm2 can ping vlan 2410 int @, but cannot ping vm1
vm3-5 can ping vlan 2412 int @, and can all ping each other
vm6 can ping vlan 2412 int @, vm3-5, and vm3-5 can ping vm6
vm1-2 cannot ping vm3-6


About Benjamin Perove

Ben has been associated with a broad spectrum of technologies starting from an early age, and he's contributed to the success of many businesses and enterprises since 2001. Most of his time is spent building cool stuff. When he's not working, he enjoys reading, playing acoustic guitar, and being with friends. He currently resides in Chiang Mai, Thailand.

7 Comments so far

  1. […] on a vNetwork Distributed Switch, a vimeo video by Eric Sloof on Configuring Private VLAN ids, and a configuration reference for PVLANs and a Cisco Nexus 5000 (even though this one is tailored to the Nexus 5000 it can be applied to any Cisco switch with and […]

  2. Daniele @ May 31st, 2011

    Hi all,
    i have set my nexus 5000 as this pages’s configuration but after set primary vlan with association, isolated vlan and set on interface eth1/20: “switchport trunk allowed vlan 10-11″, when i do “sh int eth1/20 switchport” at voice Trunking vlans Enabled there is “none” value instead of private vlans id.

    Any help?


  3. Iain @ June 28th, 2011

    Does this also work with older CatOS switches?

  4. Hetman @ March 1st, 2012

    Thank you very much, I just found what I was looking for…

  5. Stephen Price @ October 29th, 2013

    I noticed that the port configuration includes the trunk set for dot1q encapsulation.
    I was under the impression from Cisco documentation that pVLANs were not supported across dot1q trunks.

  6. view it now @ July 9th, 2014

    view it now Howtos and tutorials for Windows and Linux by Benjamin Perove

  7. le iene video @ September 20th, 2014

    le iene video

    How-To |

Leave a reply

Add this site to your Firefox Search Bar

Twitter Activity

Recent Entries



Got WordPress Security?

You will definitely wish you had downloaded my top 5 recommendations when you're cleaning out malicious Javascript from deep within you WordPress site. Enter your email and get the PDF right now, before it's too late.