PVLANs provide Layer 2 (L2) isolation within a single broadcast domain of a physical switch. A typical physical switch has a PVLAN promiscuous port and multiple isolated or community ports that belong to the same physical switch. Therefore enforcing a PVLAN isolation model among hosts connected to the physical switch may be achieved.
In a large-scale Distributed Virtual Switch (DVS), the switch scope spans across multiple physical hosts in a single L2 domain. For instance, traffic from a Virtual Machine (VM) may be processed by the virtual switch on a secondary Virtual Local Area Network (VLAN) and may be sent from a first server through its PVLAN promiscuous uplink port, which converts the secondary VLAN to a primary VLAN thereby terminating the PVLAN domain at the first server. When this packet reaches a second server in the DVS on the primary VLAN, the secondary VLAN information may have been lost. That is, once the secondary VLAN identifying information has been lost, this packet may be leaked to other PVLAN host ports.