Private virtual local area network isolation

What is claimed is: 1. A method comprising: obtaining at a virtual switch domain configured with a primary virtual local area network and a secondary virtual local area network, addresses of end hosts within said secondary virtual local area network, wherein the virtual switch domain comprises a network device comprising a virtual switch that is part of the distributed virtual switch; creating at the virtual switch domain, a private virtual local area network access list comprising said addresses of end hosts permitted to communicate on said secondary virtual local area network, wherein said private virtual local area network access list restricts communication on said secondary virtual local area network to said virtual switch domain; and applying said private virtual local area network access list to interfaces at the virtual switch domain connected to the end hosts permitted to communicate on said secondary virtual local area network to identify the end hosts within said secondary virtual local area network at the virtual switch domain; wherein the virtual switch domain is in communication with an upstream network device in communication with at least one other virtual switch domain comprising at least one other network device, the virtual switch domain and said at least one other virtual switch domain both configured with said primary virtual local area network, wherein said at least one other virtual switch domain is configured with a second secondary virtual local area network configured with a same virtual local area network identifier as said secondary virtual local area network and wherein communication between said secondary virtual local area network and said second secondary virtual local area network is restricted based on a check of said private virtual local area network access list when a packet is received at the virtual switch domain to provide private virtual local area network isolation across virtual switch domains. 2. The method of claim 1 wherein said addresses of end hosts comprise media access control addresses associated with said interfaces. 3. The method of claim 1 wherein the virtual switch domain comprises one or more virtual switches and the end hosts comprise virtual machines. 4. The method of claim 3 further comprising moving at least one of the virtual machines to a different network device, wherein said private virtual local area network access list applied to said interfaces is moved with the at least one virtual machine. 5. The method of claim 1 further comprising updating said private virtual local area network access list upon identifying a new end host permitted to communicate on said secondary virtual local area network. 6. The method of claim 1 wherein each of the end hosts is associated with said primary virtual local area network and one or more of the end hosts are associated with said secondary virtual local area network comprising a community virtual local area network or an isolated virtual local area network. 7. The method of claim 1 further comprising; receiving the packet at one of the interfaces of the virtual switch domain; checking said private virtual local area network access list; and determining whether to forward or drop the packet. 8. An apparatus comprising: a virtual switch domain configured with a primary virtual local area network and a secondary virtual local area network, wherein the virtual switch domain obtains addresses of end hosts within said secondary virtual local area network; memory for storing a private virtual local area network access list created at said virtual switch domain, wherein said private virtual local area network access list comprises said addresses of end hosts permitted to communicate on said secondary virtual local area network and restricts communication on said secondary virtual local area network to said virtual switch domain; and a processor for applying said private virtual local area network access list to interfaces at the virtual switch domain connected to the end hosts permitted to communicate on said secondary virtual local area network to identify the end hosts within said secondary virtual local area network at the virtual switch domain; wherein the virtual switch domain comprises a virtual switch that is part of a distributed virtual switch and wherein the virtual switch domain is in communication with an upstream network device in communication with at least one other virtual switch domain comprising at least one other network device, the virtual switch domain and said at least one other virtual switch domain both configured with said primary virtual local area network, wherein said at least one other virtual switch domain is configured with a second secondary virtual local area network configured with a same virtual local area network identifier as said secondary virtual local area network and wherein communication between said secondary virtual local area network and said second secondary virtual local area network is restricted based on a check of said private virtual local area network access list when a packet is received at the virtual switch domain to provide private virtual local area network isolation across virtual switch domain. 9. The apparatus of claim 8 wherein said private virtual local area network access list further comprises an address associated with said primary virtual local area network. 10. The apparatus of claim 8 wherein the processor is further configured for updating said private virtual local area network access list upon identifying a new end host permitted to communicate on said secondary virtual local area network. 11. The apparatus of claim 8 wherein the apparatus comprises one or more virtual switches and the end hosts comprise virtual machines. 12. The apparatus of claim 11 wherein said private virtual local area network access list applied to said interfaces is moved with one of the virtual machines when the one virtual machine moves to a different network device. 13. The apparatus of claim 8 wherein said secondary virtual local area network comprises a community virtual local area network or an isolated virtual local area network. 14. Logic encoded on one or more non-transitory computer readable media for execution and when executed configured to: obtain, at a virtual switch domain configured with a primary virtual local area network and a secondary virtual local area network, addresses of end hosts within said secondary virtual local area network, wherein the virtual switch domain comprises a network device comprising a virtual switch that is part of a distributed virtual switch; create, at the virtual switch domain, a private virtual local area network access list comprising said addresses of end hosts permitted to communicate on said secondary virtual local area network, wherein said private virtual local area network access list restricts communication on said secondary virtual local area network to said virtual switch domain; and apply said private virtual local area network access list to interfaces at the virtual switch domain connected to the end hosts permitted to communicate on said secondary virtual local area network to identify the end hosts within said secondary virtual local area network at the virtual switch domain; wherein the virtual switch domain is configured for communication with an upstream network device in communication with at least one other virtual switch domain comprising at least one other network device, the virtual switch domain and said at least one other virtual switch domain both configured with said primary virtual local area network, wherein said at