Implementing Private VLANs

Implementing Private VLANs - How They REALLY
Work!
Tuesday, November 14, 2006 at 02:02PM
Mike Storm
One very functional layer 2 security mechanisms that it seems hardly anyone
understands is the use of Private VLANs. While simple in concept, the
implementation of PVLANs can be difficult to grasp, especially in large,
complex environments. The issue in implementation is more in understanding
the way that the components of PVLANs work together and application of your
scenario to the PVLAN configuration. This example will exemplify a common
scenario where PVLANs are applicable and put to rest some of the confusion
involved in configuring PVLANs accordingly.
In our example, our intention is to use PVLANs to help protect our DMZ
Network from unauthorized traffic pairs and still allow public services to
operate correctly. A goal of the PVLAN is to reduce the possibility of trust
exploitation, VLAN hopping, and double tagging attacks. One thing to
remember is that PVLANs have been fully supported only on Cisco 4000 and
6000 series switches for a long time and most of the configuration
documentation on Cisco's website is based on these two platforms. Today the
full feature set is supported on 3560 and 3750 switches as well (Important for
CCIE Security Lab). Other switch platforms, such as the 3550 series, will not
carry a full feature set for PVLAN deployment.
PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast
domain. They can be configured on a Layer 2 or 3 switch. PVLANS include
three types of ports:
Promiscuous ports can communicate with all interfaces.
Isolated ports have complete Layer 2 separation from the other ports within
the same PVLAN. Isolated ports can communicate only with promiscuous
ports.
Community ports communicate among themselves and with their
promiscuous ports.
Private VLAN ports are associated with a set of supporting VLANs that are
used to create the private VLAN structure.
A private VLAN uses VLANs three ways:
Primary VLAN carries traffic from promiscuous ports to isolated, community,
and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to
promiscuous ports. You can configure multiple community VLANs in a private
VLAN
The diagram below identifies how our scenario is set up, with a PIX/ASA
device being used as the firewall (any stateful firewall can be used) creating a
protected DMZ network, where our public access servers (bastion hosts) reside.
Goals of the Solution:
- 2 DNS servers must communicate with the Internet and each other for zone
transfer
- 1 Web Server must communicate with the Internet and the SQL Server for
content
- 1 SQL Server must communicate only with the Web server and an internal
SQL source (protected by firewall rules)
- 1 SMTP Relay must communicate only with the Internet and the internal
email stop
- 1 FTP Server must communicate only with the Internet
The first thing you must do is to create the Primary VLAN that will be used in
the PVLAN scenario. VLAN 1 is not eligible as a Primary VLAN. In this step
you need to also create the Community and Isolated VLANs that will be used
in the scenario. (The diagrams displaying this are shown in upcoming
diagrams)
Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86
The diagram below shows the implementation of the Primary VLAN
The next step is to assign the PIX/ASA port to the primary VLAN as
promiscuous.
Note:
Switch(config)#interface gig2/1
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#private-vlan mapping 10 100,200,86
The diagram below shows the implementation of the assignment.
The diagram below shows the implementation of the Community VLAN 100
and the (additional) configuration to assign the ports to the community VLAN.
Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100
The diagram below shows the implementation of the Community VLAN 200
and the (additional) config to assign the ports to Community VLAN 200.
The diagram below shows the implementation of the Isolated VLAN 86 and the
related port assignment.
Switch(config-vlan)#private-vlan isolated
After all of this has been implemented, your traffic pairs are now being
controlled within the PVLAN environment. The diagram below shows the final
allowed traffic pairs.

Implementing Private VLANs

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Implementing Private VLANs

Caricato da

Copyright:

Formati disponibili

Implementing Private VLANs - How They REALLY

Goals of the Solution:

Potrebbero piacerti anche