Two data VLANs are needed on a single access port when you install VMWare software so that the physical workstation and the virtual workstation need to access separate VLANs. Trunking for this port is not desired, since 802.1x is then not available.
VMware provides for the creation of Virtual Systems on a single host by the provision of an abstraction layer wherein the operating system believes it executes on dedicated hardware but actually executes in a virtual environment. The use of the VMware can significantly help in testing the effects of the Cisco Security Agent on various systems without the high significant costs in physical hardware.
Multi VLAN Access Ports (MVAP) are the ports which belong to two VLANs:
voice traffic (VVID)
data traffic (PVID)
This allows the user to separate VVID and PVID to different VLANs. Currently, the dynamic ports can belong to only one VLAN at a time.
The MVAP solution on all Cisco switches require the second VLAN to be voice VLAN advertized by CDP and in the absence of CDP, it does not work. Thus, you cannot use MVAP as a data VLAN. Its only use is for voice. For example, if you have a data VLAN and a voice VLAN, your IP phone at your desk connects to your PC on the same port, however they both need to access two different VLANs.
The only workaround is to create a 802.1Q trunk on the switch to connect the host running VMWare. You can prune the unnecessary VLANs on the trunk link if you see lot of out-discard on the interface that connects to VMWare.
In a PVLAN scenario, if you send traffic from a community port towards the trunk that connects the switch with the VMWare server, there is no issue as the traffic is tagged with the ID of the secondary VLAN.
The problem comes when traffic is sent from a promiscuous port in the switch; that traffic is tagged with the ID of the primary VLAN, which is not allowed in the trunk. Therefore this traffic does not reach the VMWare server.