When an isolated port transmits data, that data is mapped into an auxiliary VLAN. Data in the auxiliary VLAN will be mapped to the primary VLAN -only- for transmission to promiscuous ports. Promiscuous ports, in turn, transmit data into the primary VLAN. All ports can receive information in the primary VLAN.
Putting an otherwise isolated port into a community VLAN means that traffic it transmits will be mapped into both the auxiliary and the community VLAN. Community ports will receive data from both the primary and the community VLAN.
A given pair of ports will have bidirectional communication under the following conditions-
- One or both are promiscuous, or...
- Both are in the same PVLAN community.
VACL's are a completely different mechanism and provide some measure of per-packet (and usually protocol based) control of traffic bridged within a given VLAN. You might, for instance, block traffic on TCP/80 between all hosts within the VLAN while allowing all other traffic to pass.
It's possible to approximate the effects of PVLAN's by using a VACL but this tends to be somewhat fragile, difficult to manage and there are often inherent hardware limitations with which to contend (...highly dependent on platform).
There's some confusion here.
I suppose you wanted to say :
VLAN1 IP range 192.168.1.100 - 199
VLAN2 IP range 192.168.1.200 - 299
First the IP range 192.168.1.200 - 299 doesn't exist, an IP address cannot be higher than x.x.x.255.
IP addresses are binary numbers, coded on 32 bits.
The decimal representation "192.168.1.200" is just that, a representation of a binary number, made to be more conveniently handled by human.
The fourth number in the decimal notation correspond to the last 8 bits in binary. 8 bits in binary give 256 value in decimal, thus 0 -> 255.
Second routing deal with networks / subnetworks, not IP range, and those network are also truly expressed in binary, so they are bound by power of 2 addresses.
192.168.1.100 to 199 doesn't correspond to a network so you can't route this sole specific network range.
192.168.1.0/24 is a network that contains 256 IP addresses and can be divided for example in 4 subnets like
192.168.1.0/26 I.E. 192.168.1.0 to 63
192.168.1.64/26 I.E. 192.168.1.64 to 127
192.168.1.128/26 I.E. 192.168.1.128 to 192.168.1.191
192.179.1.192/26 I.E. 192.168.1.192 to 192.168.1.255
You need to redesign your addressing to fit in actual networks.
You will find more information about subnet in this excellent answer :
How do you calculate the prefix, network, subnet, and host numbers?
Edit
if you want to have 2 VLANs with 50 host in each you can use:
VLAN1 with network 192.168.1.0/26
VLAN2 with network 192.168.1.64/26
On your router you set:
- VLAN1 interface with IP 192.168.1.1 , subnet mask 255.255.255.192
- VLAN2 interface with IP 192.168.1.65, subnet mask 255.255.255.192
In the first vlan you can use IP addresses 192.168.1.2 to 192.168.1.62, so 61 possible hosts
In the second vlan you can use IP addresses 192.168.1.66 to 192.168.1.126, so again 61 possible hosts.
Why 61 and not 64?
Well first it's actually 62, since the router IS a host but you usually don't count it as a machine that can be connected in the network.
Second the network address and the broadcast address are reserved and cannot be used by hosts.
Once again you CANNOT decide to have a (sub)network that has an arbitrary number of IP (like 50), it's always a power of 2 size (minus the network and broadcast address).
Best Answer
Hosts on different networks will be unable to communicate with IP, except through a router. Routers route between networks. A host sending packets to a network different than its own network will send to its configured gateway, which is on the same network as it is.
There are some corner cases where you would put different networks on the same VLAN, but this is certainly non-standard. If you do this for any reason, you must be sure to document it thoroughly.