Private VLAN’s and PVLAN Edge

Overview of attacks & countermeasures

  • IP spoofing – IP source guards, PACL
  • STP Spoofing – BPDU guard, Root guards
  • MAC Spoofing  – Port Security , Static CAM table entries
  • DHCP Server Spoofing – DHCP Snooping
  • ARP Spoofing – ARP inspection (ASA + IPS )
  • VLAN Hopping – Disable auto DTP *
  • CAM Floods – Port Security , 802.1x
  • DHCP Starvation – DHCP Rate limiting

Private VLAN’s (PVLAN’s)

No additional STP instances per PVLAN

  • VLAN’s
    • Primary
    • Secondary

Participating Ports – designated

  • Isolated (L2 separation from other ports within the same primary VLAN)
  • Community ports – (Access ports assigned to a 2ndary community VLAN)
  • Promiscuous  (communicates with all other ports)

PVLAN trunking – Communities could span across a trunk (.1q)

Isolated or Community VLAN can only have 1 primary associated with it.

VTP (VLAN Trunking Protocol – Does not support private VLAN’s) – has to be in transparent mode.

  • conf t
  • vtp mode transparent
  • vlan 600
  • private-vlan community
  • vlan 400
  • private-vlan isolated
  • vlan 200
  • private-vlan primary
  • private-vlan association 400,600


Host command issued on secondary interfaces:


Could add: switch-port mode trunk (encapsulation .1q)

PVLAN Edge (light)

2960= Does not support private vlan’s

Could make it a protected ports (not FWD traffic to each other)


L2 – no unicast, broadcast, multicast (from 1 protected port to another) — Only local to the switch.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.