Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Answered
4673 Views 7 Replies Latest reply: May 12, 2011 10:07 AM by Keith Barker - CCIE RS/Security, CISSP RSS

Currently Being Moderated

PVLAN Edge

Apr 27, 2011 6:46 PM

Steven Williams 3,266 posts since
Jan 26, 2009

Can anyone explain what PVLAN Edge, protected port is when it comes to the 2960 platform?

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    1. Apr 27, 2011 11:58 PM (in response to Steven Williams)
    Re: PVLAN Edge

    Hello-

     

    A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port.

     

    This is called PVLAN Edge, and that is all it means.

     

    Here is the configuration for it:

     

    Switch(config)# interface range fa0/5-6

    Switch(config-range)# switchport protected

    Switch(config-range)# switchport mode access

    Switch(config-range)# switchport access vlan 20

     

    Even though these 2 ports are in the same VLAN, devices connected to these 2 ports won't be able to communicate with each other.

     

    This would prevent the 2 devices from being able to attack each other as well.

     

    Best wishes,

     

    Keith

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    3. Apr 29, 2011 9:11 AM (in response to Steven Williams)
    Re: PVLAN Edge

    Hollywood0728 wrote:

     

    So why is this relavent on the 2960 series switches? Do these PVLAN edge ports work with 3560's in some fashion?

    PVLAN edge ports work the same on all switches that support the "switchport protected" command.

     

    Higher end switches support full scale Private VLANs as shown in this video:

     

     

    If a switch doesn't support the full Private VLANs feature, then there is still an option on some switches to prevent 2 devices that are on the same switch, in the same VLAN and same subnet, from talking to each other.  That option is the "switchport protected" command, and they call this feature Private VLAN Edge.

     

    That is the story on this feature.

     

    Keith

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    5. Apr 29, 2011 9:02 PM (in response to Steven Williams)
    Re: PVLAN Edge

    Hollywood0728 wrote:

     

    So essentially the 2960's support PVLAN's, but limited to the edge feature. Both devices would stil be able to communicate with a common gateway correct?

     

    Yes, and yes.

     

    Both devices could communicate to any other ports in the VLAN, including the default gateway.

     

    The only ports a protected port can't communicate directly with, is another protected port on that same switch.

     

    Keith

  • Keith Barker - CCIE RS/Security, CISSP 5,351 posts since
    Jul 3, 2009
    Currently Being Moderated
    7. May 12, 2011 10:07 AM (in response to Steven Williams)
    Re: PVLAN Edge

    The trunks just carry the tags for the VLANs that the frames are a part of, pretty much business as usual.   It is the switch, which is configured to support the private vlans, that does the enforcement, and yes the private VLANs can extend beyond a single switch.

     

    Keith

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)