A private virtual local area network (VLAN) is a Layer 2 (i.e., a data link layer of the seven-layer Open Systems Interconnection (OSI) model) security feature that allows segregation of host devices within a VLAN. A private VLAN includes a primary VLAN and one or more secondary VLANs provided within the primary VLAN. There are two types of secondary VLANs: a secondary community VLAN and a secondary isolated VLAN. Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs at the Layer 2 level. Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level. Private VLANs provide Layer 2 isolation between ports within the same private VLAN. The private VLAN ports may be promiscuous ports, community ports, or isolated ports.
A promiscuous port belongs to the primary VLAN and can communicate with all interfaces, including community and isolated ports that belong to the secondary VLANs associated with the primary VLAN. A community port is a host port that belongs to a secondary community VLAN. Community ports communicate with other ports in the same community VLAN and with promiscuous ports. Community ports are isolated from all other interfaces in other communities and from isolated ports within their private VLAN. An isolated port is a host port that belongs to a secondary isolated VLAN. Isolated ports have complete Layer 2 separation from other ports within the same private VLAN, except for promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port may be forwarded only to promiscuous ports.
In order to implement these communication guidelines, multiple broadcast domains are created and Ethernet media access control (MAC) addresses are installed in VLANs. For example, a MAC address learned on an isolated port is installed in the isolated VLAN and in the primary VLAN. A MAC address learned on a community port is installed in the community VLAN and in the primary VLAN. A MAC address learned on a promiscuous port is installed in the primary VLAN, in all community VLANs, and in all isolated VLANs. Thus, MAC address learning is needed in more than one VLAN. In an application-specific integrated circuit (ASIC)-based forwarding system, hardware learning is disabled, and MAC address learning is achieved with software learning. In software learning, a central processing unit (CPU) receives an indication of a new MAC address and decides whether to install the new MAC address in an unbounded number of VLAN MAC address tables. However, maintaining multiple VLAN MAC address tables puts a strain on hardware resources (e.g., the CPU).