The private VLAN (PVLAN) mechanism enables you to divide a regular VLAN into sub-VLANs to isolate network traffic. The PVLAN mechanism is defined in RFC 5517. Usually, a regular VLAN is a single broadcast domain, but when configured with PVLAN properties, the single broadcast domain is partitioned into smaller broadcast sub-domains while keeping the existing Layer 3 configuration. When you configure a PVLAN, the regular VLAN is called the primary VLAN and the sub-VLANs are called secondary VLANs. The secondary VLANs can be either isolated VLANs or community VLANs.
When two virtual networks use the same VLAN ID on a physical link, all broadcast traffic is passed between the two virtual networks. However, when you create virtual networks that use PVLAN properties, the packet-forwarding behavior might not apply to all situations.
The following table shows the broadcast packet-forwarding rules for isolated and community PVLANs.
The inter-vnet-links feature supports the communication restrictions of isolated and community PVLANs. Inter-vnet-links are disabled for isolated PVLANs and are enabled only for virtual networks that are in the same community for community PVLANs. Direct traffic from other virtual networks outside of the community is not permitted.