You can simply create another VLAN, and don't include it in any of your routing tables.  It doesn't really even have to HAVE an IP address assigned to it on the switch.  Make sure that address range isn't within your normal address space, so use one of the 10, 172. or 192.168. spaces for the host addressing on that space.  Make sure the VM virtual switch ALSO doesn't route those addresses.

One thing to watch out for is to make sure it doesn't become a default route within any of the VM's; and if they are windows boxes that these interfaces don't register within WINS or AD.

Hello pwwiddicombe

Perhaps I haven't had enough coffee but I'm not really getting what you mean? Why would I need to consider having an IP address on my switch? I'm talking strictly Layer 2 private VLANs and trunking.

If you could elaborate on what you mean. My issue here is how to ensure that when the VMware host sends the tagged frames down to our switch how we would deal with multiple VLANs at the switch port level considering that we are using private VLANs?

Thank you

That's why I said you don't need an IP address for the VLAN on the switch - it isn't necessary; although sometimes it's useful for testing (i.e. is the VM being properly connected?).  Once  you have several VM's then no need for that.

On the switch(es) involved, just create conventional 802.1q trunk ports to match the configuration for each VM host server.  You might want to specify exactly which VLAN's are being allowed (both conventional for normal servers, and the private one).  If you have servers that need to connect to different switches, then make sure that "server private" vlan is included in the inter-Cisco switch trunk.

By private VLAN's, do you mean just vlans dedicated to the server function; or the Cisco definition where you have VLAN's numbered higher than 1000?  I had been thinking the former "community" type VLAN to allow multiple hosts a dedicated vlan.  I haven't actually used the Cisco-type private VLAN's; but have done the "dedicated non-routed vlan" as above to provide the ESX clustering capability.

In reading about Cisco PVLAN's, I don't know if you can declare a trunk to the ESX servers with a single link providing a PVLAN port and a regular data port over that single trunk.  The method described above provides that functionality using "conventional" configuration, as you originally mentionned.

By private VLANs I mean the technology allowing you to use a common subnet amongst various devices yet providing separation at Layer 2 using isolated and community VLANs.

Having a read around private VLAN trunks exist but only as promiscuous ports and only on the 4500 series, so options are limited. The only way is to test this out which is difficult at best.

Thanks for your help so far.