Question on PVLAN

Discussion in 'Cisco' started by Will, Oct 20, 2006.

  1. Will

    Will Guest

    Let's say I have a perimiter network on a firewall segment that I want to
    protect with PVLAN. We would use the PVLAN to force all communication
    between machines within that perimeter to go through the firewall. The
    problem I am seeing with this configuration is that the firewall would
    normally just ignore communications between computers on the same segment,
    figuring that such communication is direct between the computers.

    To make this work, are we supposed to configure a proxy arp on the firewall
    segment, to fake out machines on the network into thinking that all the
    target IPs on that network go the firewall's port? Do we need to configure
    the network on the firewall to be a single IP (class mask 255.255.255.255)?
    Obviously the answer may be firewall dependent, but how would you make the
    firewall work with a PVLAN perimeter network for the case of Checkpoint
    Firewall-1, Microsoft ISA Server, and Cisco PIX?

    It looks like the only "easy" way to make this work is to be sure that all
    machines in one PVLAN don't need to ever talk to each other....

    --
    Will
    Will, Oct 20, 2006
    #1
    1. Advertising

  2. Hi Will,

    You may also wish to investigate the Private VLAN Catalyst Switch
    Support Matrix:

    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml

    as well as Securing Networks with Private VLANs and VLAN Access Control
    Lists:

    http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml

    Configuring Private VLANs:

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a00802c30c4.html

    and

    http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080509bf1.html

    and VLAN INSECURITY - VLANS WERE CREATED TO ISOLATE LANS, BUT NOT FOR
    THE PURPOSES OF SECURITY:

    http://www.spirit.com/Network/net0103.html

    Hope this helps.

    Brad Reese
    BradReese.Com - Refurbished Cisco PIX Firewall Guide
    http://www.bradreese.com/refurbished-cisco-pix-firewalls.htm
    1293 Hendersonville Road, Suite 17
    Asheville, North Carolina USA 28803
    USA & Canada: 877-549-2680
    International: 828-277-7272
    Fax: 775-254-3558
    AIM: R2MGrant
    BradReese.Com - Cisco Power Supply Headquarters
    http://www.bradreese.com/cisco-power-supply-inventory.htm
    www.BradReese.Com, Oct 20, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Will
    Replies:
    2
    Views:
    805
  2. Will
    Replies:
    1
    Views:
    389
    www.BradReese.Com
    Oct 8, 2006
  3. Replies:
    0
    Views:
    975
  4. Replies:
    0
    Views:
    508
  5. Rob
    Replies:
    0
    Views:
    527
Loading...

Share This Page