Comparing PVLAN to PVLAN Edge

A couple of weeks ago I wrote an article about the PVLAN Edge, or “switchport protected”, feature of Cisco switches. This feature is simple to understand and configure. This feature is like the little brother of the more fully featured PVLAN feature. PVLANs, or private VLANs, overcome many of the restrictions found in the PVLAN Edge feature. This article is a brief comparison the PVLAN Edge feature to the more fully featured PVLAN feature.

Private VLAN

In the diagram above, we can see three distinct types of ports that make up a PVLAN configuration. The first type of port is known as “Promiscuous”. Promiscuous ports can bidirectionally communicate with the remaining two types of switch ports. The second type of port is known as “Isolated”. Isolated ports can ONLY communicate with “Promiscuous” ports in the PVLAN configuration. The third type of port is the “Community” port. Community ports are able to communicate with “Promiscuous” ports and other ports in the same Community. A PVLAN configuration can have multiple Communities.

Private VLAN Edge

This diagram represents a PVLAN Edge configuration. PVLAN Edge doesn’t use the variety or types of ports that are found in a full PVLAN configuration. In PVLAN Edge configuration, a port is either “protected” or it isn’t. Protected ports can only communicate with ports that are NOT configured as “protected”. Ports that aren’t “protected” can communicate with any port in the VLAN.

Differences

There are several key differences between PVLAN and PVLAN Edge. PVLAN Edge is much simpler to configure, but the configuration is not typically useful if the VLAN spans multiple switches. PVLAN, on the other hand, offers much more flexibility in configuration and can be beneficial when the VLAN spans multiple switches.

Configuration

PVLAN Config

SwitchA

SwitchA(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

SwitchA(config)#vlan 110
SwitchA(config-vlan)#private-vlan isolated
SwitchA(config)#vlan 111
SwitchA(config-vlan)#private-vlan community

SwitchA(config-vlan)#vlan 200
SwitchA(config-vlan)#private-vlan primary
SwitchA(config-vlan)#private-vlan association 110,111

//isolated port
SwitchA(config)#interface fa0/1
SwitchA(config-if)#switchport mode private-vlan host
SwitchA(config-if)#switchport private-vlan host-association 200 110

//community (111) port
SwitchA(config)#interface fa0/2
SwitchA(config-if)#switchport mode private-vlan host
SwitchA(config-if)#switchport private-vlan host-association 200 111

//trunk
SwitchB(config)#interface fa0/24
SwitchB(config-if)#switchport mode trunk

SwitchB

SwitchB(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.

SwitchB(config)#vlan 110
SwitchB(config-vlan)#private-vlan isolated
SwitchB(config)#vlan 111
SwitchB(config-vlan)#private-vlan community

SwitchB(config-vlan)#vlan 200
SwitchB(config-vlan)#private-vlan primary
SwitchB(config-vlan)#private-vlan association 110,111

//isolated port
SwitchB(config)#interface fa0/1
SwitchB(config-if)#switchport mode private-vlan host
SwitchB(config-if)#switchport private-vlan host-association 200 110

//community (111) port
SwitchB(config)#interface fa0/2
SwitchB(config-if)#switchport mode private-vlan host
SwitchB(config-if)#switchport private-vlan host-association 200 111

//promiscuous port
SwitchB(config)#interface fa0/23
SwitchB(config-if)#switchport mode private-vlan promiscuous
SwitchB(config-if)#switchport private-vlan mapping 200 110,111

//trunk
SwitchB(config)#interface fa0/24
SwitchB(config-if)#switchport mode trunk

PVLAN Edge Config (aka “switchport protected”)

//protected ports (host ports)
Switch(config)#spanning-tree portfast default
Switch(config)#interface range fa0/1 - 20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport protected

//unprotected ports (servers, routers, etc)
//note the absence of "switchport protected"
Switch(config)#interface range fa0/21 - 24
Switch(config-if-range)#switchport mode access

As can be seen by this comparison, PVLAN Edge is a much simpler configuration. This simplicity yields fewer configuration options. The more fully function PVLAN configuration allows for more deployment options. This includes the typical requirement of spanning the PVLAN restrictions to ports on other switches. This flexibility manifests as additional complexity in the configuration. With that being said, a simple PVLAN deployment is not overly complex. In future articles, we will look at how PVLANs are built in greater detail. Furthermore, we will address different types of trunk ports that may be used for specific use cases.

If you enjoyed this article, I believe you may also enjoy the following book.
CCNP SWITCH 642-813 Official Certification Guide (Official Cert Guide)

About These Advertisements

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Certification, General, Security, Technology and tagged , . Bookmark the permalink.

One Response to Comparing PVLAN to PVLAN Edge

  1. Pingback: It’s the networks fault #6 | Michael McNamara

Leave a Reply