Now that we have learned how to configure them, let's try and understand how they work. Private VLANs are not a VMware concept, but a switching concept that is in use in various environments. For private VLANs to work, you will need to create the primary and secondary VLANs on the physical switch and associate them.

A primary VLAN is a VLAN that is configured as a primary private VLAN on the physical switch interface in promiscuous mode. 

Secondary VLANs are VLANs that are associated to a primary VLAN. There are three types of secondary private VLANs:

• Promiscuous PVLAN: VMs in a promiscuous PVLAN can communicate with any VM belonging to any of its secondary PVLANs. The promiscuous PVLAN will act as a gateway for other secondary PVLANs.
• Community PVLAN: VMs in a community PVLAN can only talk among VMs in the same community PVLAN or the promiscuous PVLAN. It cannot communicate with VMs in any other secondary PVLAN.
• Isolated PVLAN: VMs in an isolated PVLAN are isolated from every other VM in the same isolated PVLAN. It can only communicate with the VMs in a promiscuous PVLAN. There can only be a single isolated PVLAN per primary PVLAN: