Juniper JN0-650 Exam - Topic 4 Question 11 Discussion

Private VLANs (PVLANs) allow for granular port isolation within a single broadcast domain. When extending a PVLAN across multiple switches (S1 to S2), the secondary VLANs (Community or Isolated) must be preserved across the trunk links.

802.1Q Tagging (Option B): For traffic from a Community VLAN (RND) to reach members on a different switch, the Community VLAN must have its own 802.1Q VLAN tag (VLAN ID) associated with it. When a frame from a community port on S1 traverses the trunk to S2, it is tagged with this specific secondary VLAN ID. S2 receives the tagged frame, identifies it as belonging to the RND community, and forwards it to the appropriate community or promiscuous ports.

Why it fails without a tag: If the RND community is only defined locally on S1 without a global VLAN ID, the trunk port will not know how to distinguish that traffic from the Primary VLAN or other communities.

Incorrect Options: Option A is incorrect because the community VLAN must have a different tag than the parent (Primary) VLAN to maintain the internal PVLAN logic. Option C is incorrect because stripping tags would lead to the traffic being merged into the native VLAN or dropped. Option D is incorrect because RND is a community VLAN; changing it to an isolated VLAN would change its behavior (preventing communication between members of that same group).