5.2.a Implement and troubleshoot switch security features

5.2.a [vii] Private VLAN

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into sub-domains, allowing you to isolate the ports on the switch from each other. A sub-domain consists of a primary VLAN and one or more secondary VLANs.

All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one sub-domain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Location 5254).  . Kindle Edition.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/PrivateVLANs.html