Probably a stupid question here but I am having difficulty getting my head around this....
I have read a lot of Cisco documentation about PVLANS and they all say the following or similar:
"Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3."
And you have to implement VACLs so to stop hosts in different community vlans talking to each other via the router. But what I don't understand is how this scenario would happen. How would traffic from one host attempt to be L3/routed to another host on the same subnet?
Any help much appreciated, thank you.
I guess your question is "why a host would go through a router to reach another host on the same subnet?".
There is a feature call local-proxy-arp (I'm not sure it's enabled on promiscuous ports) that will have the router answer to arp requests local to the subnet. This will allow indeed hosts within the same subnet to communicate through the router.
Also, it's not because two hosts are in the same private vlan (or the same vlan btw) that they are necessarily in the same IP subnet. You can have several different subnets configured on the same L3 interface (with secondary commands), or there might be several vlan interface (or several promiscuous ports) on the vlan, each with a different subnet configured. This would also allow make (a relatively artificial) case where hosts on the same private vlan communicate at L3.