Private VLANs are used to solve VLAN ID limitations and waste of IP addresses for certain network setups.

A private VLAN is identified by its primary VLAN ID. A primary VLAN ID can have multiple secondary VLAN IDs associated with it. Primary VLANs are promiscuous so that ports on a private VLAN can communicate with ports configured as the primary VLAN. Ports on a secondary VLAN can be either isolated, communicating only with promiscuous ports, or community, communicating with both promiscuous ports and other ports on the same secondary VLAN.

To use private VLANs between an ESXi host and the rest of the physical network, the physical switch connected to the ESXi host needs to be private VLAN-capable and configured with the VLAN IDs being used by ESXi for the private VLAN functionality. For physical switches using dynamic MAC+VLAN ID based learning, all corresponding private VLAN IDs must be first entered into the switch’s VLAN database.

To configure dvPorts to use private VLAN functionality, you must first create the necessary private VLANs on the vNetwork Distributed Switch that the dvPorts are connected to.