Understanding PVLAN Edge

One of the topics that often comes up when talking about layer 2 security is the concept of Private VLANs. Private VLANs are basically a way to group hosts and control traffic inside a single broadcast domain. Although Private VLANs are quite flexible, there availability is somewhat limited and administrators may find them difficult to understand and configure. “Private VLAN Edge” is a simplified way of achieving some of the same goals. While this option is more widely available in Cisco Switches, there are some limitations. This article looks at the Private VLAN Edge feature, describes its configuration and its limitations.

Description

Private VLAN Edge is a feature that may also be referred to as PVLAN Edge or protected switchport. It is a very simple configuration that restricts the direct layer 2 communications between any two devices that has it enabled. The diagram below shows a switch PVLAN Edge configured on the first 20 ports. As a result the two PC’s cannot communicate with one another.

In the above diagram, ports 21 through 24 can communicate with each other. Additionally, they can communicate with Fa0/1 through 20. Ports 1 through 20 can only communicate with devices connected to ports 21 through 24. The resulting configuration is one that prevents communications between user workstations, but permits communication with the resources that are required for the users to do their day to day functions.

Configuration

Configuring Private VLAN Edge ports is quite simple. All that is required is the command “switchport protected” within each interface. Therefore, the configuration of the above switch would look something like the example below.

//the host ports
Switch(config)#spanning-tree portfast default
Switch(config)#interface range fa0/1 - 20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected

//the resource ports
//note the absence of "switchport protected"
Switch(config)#interface range fa0/21 - 24
Switch(config-if-range)#switchport mode access

Verifying the Configuration

In order to verify the configuration, the output of “show running-config” can be examined. Alternatively, the output of “show interface switchport” will also indicate if interfaces have been set as “protected” thus showing their PVLAN Edge status.

//host port
Switch#show interface fast 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic desirable
...
//content removed for brevity
...
Protected: true
Appliance trust: none
Switch#

//resource port
Switch#show interface fast 0/21 switchport
Name: Fa0/21
Switchport: Enabled
Administrative Mode: dynamic desirable
...
//content removed for brevity
...
Protected: false
Appliance trust: none
Switch#

Limitations

As can be seen from the above examples, this feature is very easy to configure. However, that simplicity does bring limitations. The primary limitation is that this is a single switch solution. When connecting two switches together, there is no way to carry the PVLAN Edge status of a frame transiting the network. This means that a frame going from one switch to another is classified when it reaches the second switch. Therefore, it would be very likely that a protected port on one switch could communicate with the protected port on another switch.

With that limitation in mind, PVLAN Edge could still be used where VLANS with ports being protected are localized to a single switch. One use case might be a DMZ area that shares an address space. If there is no need for hosts to communicate with one another, each of their ports could be configured as protected. It is also worth noting that the ASA5505 has an integrated switch that can be used with this feature.

In conclusion, PVLAN Edge is a very simple feature. It is widely available in Cisco Access switches, but the use cases are somewhat limited. In future articles, we will see a full Private VLAN implementation can overcome some of these challenges and be used when a broader scope is required.

If you enjoyed this article, I believe you may also enjoy the following book.
CCNP SWITCH 642-813 Official Certification Guide (Official Cert Guide)

About These Advertisements

 

 

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Certification, General, Security, Technology and tagged , . Bookmark the permalink.

Leave a Reply