One of the topics that often comes up when talking about layer 2 security is the concept of Private VLANs. Private VLANs are basically a way to group hosts and control traffic inside a single broadcast domain. Although Private VLANs are quite flexible, there availability is somewhat limited and administrators may find them difficult to understand and configure. “Private VLAN Edge” is a simplified way of achieving some of the same goals. While this option is more widely available in Cisco Switches, there are some limitations. This article looks at the Private VLAN Edge feature, describes its configuration and its limitations.
Private VLAN Edge is a feature that may also be referred to as PVLAN Edge or protected switchport. It is a very simple configuration that restricts the direct layer 2 communications between any two devices that has it enabled. The diagram below shows a switch PVLAN Edge configured on the first 20 ports. As a result the two PC’s cannot communicate with one another.
In the above diagram, ports 21 through 24 can communicate with each other. Additionally, they can communicate with Fa0/1 through 20. Ports 1 through 20 can only communicate with devices connected to ports 21 through 24. The resulting configuration is one that prevents communications between user workstations, but permits communication with the resources that are required for the users to do their day to day functions.
Configuring Private VLAN Edge ports is quite simple. All that is required is the command “switchport protected” within each interface. Therefore, the configuration of the above switch would look something like the example below.
//the host ports Switch(config)#spanning-tree portfast default Switch(config)#interface range fa0/1 - 20 Switch(config-if-range)#switchport mode access Switch(config-if-range)#switchport protected //the resource ports //note the absence of "switchport protected" Switch(config)#interface range fa0/21 - 24 Switch(config-if-range)#switchport mode access
Verifying the Configuration
In order to verify the configuration, the output of “show running-config” can be examined. Alternatively, the output of “show interface switchport” will also indicate if interfaces have been set as “protected” thus showing their PVLAN Edge status.
//host port Switch#show interface fast 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: dynamic desirable ... //content removed for brevity ... Protected: true Appliance trust: none Switch# //resource port Switch#show interface fast 0/21 switchport Name: Fa0/21 Switchport: Enabled Administrative Mode: dynamic desirable ... //content removed for brevity ... Protected: false Appliance trust: none Switch#
As can be seen from the above examples, this feature is very easy to configure. However, that simplicity does bring limitations. The primary limitation is that this is a single switch solution. When connecting two switches together, there is no way to carry the PVLAN Edge status of a frame transiting the network. This means that a frame going from one switch to another is classified when it reaches the second switch. Therefore, it would be very likely that a protected port on one switch could communicate with the protected port on another switch.
With that limitation in mind, PVLAN Edge could still be used where VLANS with ports being protected are localized to a single switch. One use case might be a DMZ area that shares an address space. If there is no need for hosts to communicate with one another, each of their ports could be configured as protected. It is also worth noting that the ASA5505 has an integrated switch that can be used with this feature.
In conclusion, PVLAN Edge is a very simple feature. It is widely available in Cisco Access switches, but the use cases are somewhat limited. In future articles, we will see a full Private VLAN implementation can overcome some of these challenges and be used when a broader scope is required.