A question about private VLANs

Discussion in 'Cisco' started by tcollicutt@hotmail.com, May 6, 2005.

  1. Guest

    I know that ports in different private vlans ( isolated or community )
    cannot communicate with each other, enven though they are in the same
    subnet and parent VLAN.

    I am curious, because I haven't seen anyhthing that states it yet, to
    know if the following is possible.

    Set up a VLAN. Set up a few community VLANs withing it so I can have
    groups pf servers using the same IP space, but by default not being
    able to talk to each other, but being able to use access lists to allow
    limited communications between community or isolated VLANs under
    certain restrictions.

    The reason I ask is there is a possibility of a request to set up a DMZ
    where no server in the DMZ can talk to any other server in the DMZ.
    However, once it is in place I know that someone is going to come up
    with some exception which is not going to work with this setup, and
    there will have been so much time and money put into the development
    before anyone asked whether the network will handle it that I will be
    resdesigning it again.

    I may be able to do this with regular VLANs. Our firewall admin might
    balk a bit at multiple IPS on an Ethernet interface or a dot1Q trunk,
    but that's a political issue.

    Ideas? I am I completely out to lunch?
    , May 6, 2005
    #1
    1. Advertising

  2. Peter Guest

    Greetings,

    > The reason I ask is there is a possibility of a request to set up a DMZ
    > where no server in the DMZ can talk to any other server in the DMZ.
    > However, once it is in place I know that someone is going to come up
    > with some exception which is not going to work with this setup, and
    > there will have been so much time and money put into the development
    > before anyone asked whether the network will handle it that I will be
    > resdesigning it again.


    Just to make sure I understand you correctly, you want a segment set
    up in which the hosts cannot talk to each other, but be able to talk
    outside that segment, and in which you _MAY_ want some limited
    interhost traffic within that segment?

    There are a number of ways of doing this, it really comes down to how
    much resource do you need to throw at it. At the bottom level, you can
    keep it simple by forcing ALL traffic to leave the Layer 2 device (say
    a 2950 with Port Protected for each connection to the hosts), and that
    traffic then heads to a single port that is NOT Port Protected as the
    "exit" point for that "segment", into a Layer 3 device that can then
    route traffic (this may be a gotcha if the L3 device is a Firewall
    that does not allow same interface bidirectional traffic). That same
    Layer 3 device can then use an ACL to allow or deny traffic between
    devices on that "protected" segment.

    I guess the prime catch here is that a DMZ is usually behind some sort
    of Firewall, and if the Firewall is also the Layer 3 device above,
    then the Firewall needs to be able to route back out that same
    interface, but even if so, there are ways around this...

    > I may be able to do this with regular VLANs. Our firewall admin might
    > balk a bit at multiple IPS on an Ethernet interface or a dot1Q trunk,
    > but that's a political issue.


    Using Port Protected, all hosts can be in the one Subnet, and the ONLY
    path between those hosts being via the Layer 2 exit point, which can
    then control traffic between the Protected hosts using an ACL. At the
    bottom end you do not need a trunk at all, and the only VLAN can be
    the "default" one if you wish.

    Basically, what Port Protected does is prevent ARP's from a Protected
    Port being seen by any other Protected Port on that segment EXCEPT
    from the un-Protected Port (containing the Layer 3 device), so Layer 3
    device then proxy ARP's for the target MAC.

    > I am I completely out to lunch?


    Not at all, what you appear to be looking for (if I understand the
    question correctly) is something quite "normal".
    The main issue in doing this is ensuring that capacity exists to
    handle traffic volume for all this traffic flow, remembering that ALL
    traffic goes both in and out just one Port.

    Good luck.............pk.

    ---
    Peter from Auckland.
    Peter, May 7, 2005
    #2
    1. Advertising

  3. Guest

    Re: A question about private VLANs

    Ok, That is pretty much what I expected.

    Second situation.

    Floor switches : 2950s

    Core switch: 6509 (8.2) with MSFC

    Can I set up private VLANs on a 6509, and then assign ports on the
    2950 to that VLAN. or are private VLANs assigned on a switch by switch
    basis?
    , May 10, 2005
    #3
  4. Peter Guest

    Re: A question about private VLANs

    Greetings,

    > Floor switches : 2950s
    >
    > Core switch: 6509 (8.2) with MSFC
    >
    > Can I set up private VLANs on a 6509, and then assign ports on the
    > 2950 to that VLAN. or are private VLANs assigned on a switch by switch
    > basis?


    A PVLAN transits a Trunk port just like a normal VLAN, so yes, you can
    spread PVLAN's between switches if you wish.

    Cheers............pk.

    ---
    Peter from Auckland.
    Peter, May 11, 2005
    #4
  5. Guest

    Re: A question about private VLANs

    Excellent.

    Thanks a lot :)
    , May 12, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    535
  2. HMV

    Re: How to keep your private files private

    HMV, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    475
  3. Steve

    Re: How to keep your private files private

    Steve, Feb 21, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    475
  4. John Holmes

    Re: How to keep your private files private

    John Holmes, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    423
    John Holmes
    Feb 21, 2006
  5. Daave

    Re: How to keep your private files private

    Daave, Feb 22, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    406
    Daave
    Feb 22, 2006
Loading...

Share This Page