Two Virtual Machines (VMs) belonging to the same isolated secondary Private VLAN (PVLAN) cannot communicate with each other. This symptom is observed when the VMs are co-resident on the same ESXi host, and when residing on different ESXi hosts.

In some configuration scenarios, intra-VLAN communication unexpectedly succeeds when the VMs are located on separate hosts.

VMware vCenter Server

VMware vSphere ESXi

The primary cause for communication failure is expected behavior by design. The vSphere Distributed Switch (dvSwitch) acts as a Layer 2 switch that enforces the isolated PVLAN policy. For co-resident VMs, packets are dropped locally by the dvSwitch.

For VMs on different hosts, the dvSwitch tags traffic with the secondary isolated VLAN and forwards it to the physical switch, which drops the traffic as it enforces the isolation.

• Acknowledge that the inability for VMs within the same isolated PVLAN to communicate is the expected design behavior.

• If communication is unexpectedly successful across hosts, verify the upstream physical switch configuration.

• Ensure the physical switch does not have the secondary VLAN defined as a community VLAN, which overrides the vDS isolation and permits traffic forwarding.

Private VLAN (PVLAN) on vNetwork Distributed Switch not working - Concept Overview