Designing VLANs in Networks
16
Scalable Security in a Multi- Client Environment - Private VLANs Designing VLANs in Networks
description
Designing VLANs in Networks. Scalable Security in a Multi-Client Environment - Private VLANs. VLANs: Review. VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. - PowerPoint PPT Presentation
Transcript of Designing VLANs in Networks
Scalable Security in a Multi-Client Environment - Private VLANs
Designing VLANs in Networks
VLANs: ReviewVLAN is a broadcast domain in which hosts can
establish direct communication with one another at Layer 2.
Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains.
Regular VLANs usually correspond to a single IP subnet.
Typical ISP Network Infrastructure
ISP Networks IF AN ISP NEEDS A VLAN
TO BE CONNECTED TO SEVERAL CUSTOMER SITES, AND EACH CUSTOMER SITE NEEDS TO REACH THE ISP'S VLAN BUT NOT EACH OTHER'S, WHICH IS THE BEST DESIGN CHOICE FOR THE CUSTOMER SITE VLANS
Security Concerns on sharing a VLAN Companies can either host their servers in their own
premises or they can locate their servers at the Internet Service Provider's premises.
A typical ISP would have a server farm that offers web-hosting functionality for a number of customers.
Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concernsProblem: Servers can establish Layer 2 communication
Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. Problem: subscriber next door could very well be a
malicious network user
Solution – ISP Problem Assign a separate VLAN to each customer.
Each user would be assured of Layer 2 isolation from devices belonging to other users.
Problem: Scalability
Maximum (theoretical) 4096-4 = 4092 VLANs possible
Potential Wastage of IP addresses in each subnet Each VLAN needs a subnet, and two addresses
are wasted per subnet
Private VLANs Private VLANs (PVLANs) are used to segregate
Layer 2 ISP traffic and convey it to a single router interface.
The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains, introducing sub-VLANs inside a VLAN
Device isolation is achieved by applying Layer 2 forwarding constraints that allow:End devices to share the same IP subnet while
being Layer 2 isolated.Use of larger subnets reducing address
management overhead.
Private VLANS
Two special sub-domains specific to the private VLANs technology are defined:
Isolated sub-domain and Community sub-domain.
Each sub-domain is defined by assigning a proper designation to a group of switch ports.
Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the
2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.
PVLAN Domain A private VLAN domain is built with at least one pair of VLAN
IDs: One (and only one) primary VLAN ID (Vp) plus One or more secondary VLAN IDs (Vs). Secondary VLANs can be of two types:
isolated VLANs (Vi) or all hosts connected to its ports are isolated at Layer 2.
community VLANs (Vc). A community VLAN is a secondary VLAN that is
associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships.
A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.
Port Designations in PVLANThree separate port designations exist. Each port designation has its own unique set
of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain.
The three port designations are:Promiscuous, Isolated, and Community.
PVLAN- Port Definitions
Computer
Computer
Computer
Computer
Computer
Computer
R1Fa0/1
Fa0/2
Fa0/3
Primary VLAN 100(Promiscuous)
Secondary VLAN 10(Community)
Fa0/4
Fa0/5
Fa0/6
Fa0/7
Secondary VLAN 20(Community)
Secondary VLAN 30(Isolated)
No
Yes
Yes
No
192.168.10.1/24
192.168.10.2/24
192.168.10.3/24
192.168.10.4/24
192.168.10.5/24
192.168.10.6/24
192.168.10.7/24
Example PVLAN
Primary VLAN 1000 has :•Secondary VLAN s
• VLAN 1012 – Community VLAN
• VLAN 1034 – Community VLAN
• VLAN 1055 – Isolated VLAN
Private VLAN Configuration
DLS2(config)#vtp mode transparent DLS2(config)#vlan 10 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 20 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 30 DLS2(config-vlan)#private-vlan isolated DLS2(config-vlan)#exit DLS2(config)#vlan 100 DLS2(config-vlan)#private-vlan primary DLS2(config-vlan)#private-vlan association 10,20,30
Create Private VLANs:
Private VLAN Configuration
DLS2(config)#int fa0/1 DLS2(config)# switchport mode private-vlan promiscuous DLS2(config)# switchport private-vlan mapping 100 10,20,30 DLS2(config)# int fa0/2 DLS2(config)# switchport mode private-vlan host DLS2(config)# switchport private-vlan host-association 100 10
Populate Private VLANs:
Verify Private VLANs:
S1#show vlan private-vlanS1#show interface switchport fa0/2
Advantages of PVLANs
1.Provides Security2.Reduces the number of IP
subnets3.Reduces the VLANs’
utilisation by isolating traffic between network devices residing in the same VLAN
Useful LinksRFC 5517Private VLANsComprehensive analysis of various security threats
and their mitigation techniques for a medium-size ISP
