Wednesday, August 24, 2016

Private VLAN Edge

 on  with No comments 
In , ,  
A common switch feature to limit communications between hosts within a common VLAN is Private VLANs.  I'll talk about Private VLANs in a future post.  Private VLANs can be a bit complex to set up, and they're not supported on a number of older and low end switch models.  A similar technology, Private VLAN Edge is available on a wider range of platforms.  The integrated switch in the Cisco ASA 5505 supports Private VLAN Edge, as does the older 2950 and 3550 series switches.  Because it's simpler and more widely available, Private VLAN Edge is a good starting point.

Private VLAN Edge (also referred to as PVLAN Edge or protected switchport), is a technology which allows the blocking of certain inter-host communication within a VLAN.  It blocks all unicast, multicast and broadcast traffic among the protected ports within a switch, while not interfering with traffic between two unprotected ports, or between one protected and one unprotected port. There is one key exception however.  Control traffic, such as routing protocol updates will still be forwarded between such ports.

Private VLAN Edge differs from Private VLANs in a number of key ways. First, Private VLAN Edge is much simpler to set up.  You simply add the command switchport protected at the interface level, and that is it. Second, Private VLAN Edge is limited to a single switch, whereas Private VLANs can span multiple switches.

That in a nutshell is all there really is to it.  For completeness, let's look at a configuration example. As I said earlier, it's real basic.  I would be normally using an IOU switch in my GNS3 topology, however it would appear that the one place that Private VLAN Edge is not supported is in the L2 IOU devices.  Perhaps in a different image.  So instead I'll be falling back to one of my old trusty 2950s.

S1(config)# interface FastEthernet 0/1
S1(config-if)#  switchport protected
S1(config-if)#  end

And to verify, we have a single show command

S1# show interfaces Ethernet 0/1 switchport
Switchport: Enabled
Administrative Mode: static access
<<Omitted for brevity>>
Protected: true


Post a Comment

Discuss this post!