A question about private VLANs

Discussion in 'Cisco' started by tcollicutt, May 6, 2005.

  1. tcollicutt

    tcollicutt Guest

    I know that ports in different private vlans ( isolated or community )
    cannot communicate with each other, enven though they are in the same
    subnet and parent VLAN.

    I am curious, because I haven't seen anyhthing that states it yet, to
    know if the following is possible.

    Set up a VLAN. Set up a few community VLANs withing it so I can have
    groups pf servers using the same IP space, but by default not being
    able to talk to each other, but being able to use access lists to allow
    limited communications between community or isolated VLANs under
    certain restrictions.

    The reason I ask is there is a possibility of a request to set up a DMZ
    where no server in the DMZ can talk to any other server in the DMZ.
    However, once it is in place I know that someone is going to come up
    with some exception which is not going to work with this setup, and
    there will have been so much time and money put into the development
    before anyone asked whether the network will handle it that I will be
    resdesigning it again.

    I may be able to do this with regular VLANs. Our firewall admin might
    balk a bit at multiple IPS on an Ethernet interface or a dot1Q trunk,
    but that's a political issue.

    Ideas? I am I completely out to lunch?
    tcollicutt, May 6, 2005
    1. Advertisements

  2. tcollicutt

    Peter Guest

    Just to make sure I understand you correctly, you want a segment set
    up in which the hosts cannot talk to each other, but be able to talk
    outside that segment, and in which you _MAY_ want some limited
    interhost traffic within that segment?

    There are a number of ways of doing this, it really comes down to how
    much resource do you need to throw at it. At the bottom level, you can
    keep it simple by forcing ALL traffic to leave the Layer 2 device (say
    a 2950 with Port Protected for each connection to the hosts), and that
    traffic then heads to a single port that is NOT Port Protected as the
    "exit" point for that "segment", into a Layer 3 device that can then
    route traffic (this may be a gotcha if the L3 device is a Firewall
    that does not allow same interface bidirectional traffic). That same
    Layer 3 device can then use an ACL to allow or deny traffic between
    devices on that "protected" segment.

    I guess the prime catch here is that a DMZ is usually behind some sort
    of Firewall, and if the Firewall is also the Layer 3 device above,
    then the Firewall needs to be able to route back out that same
    interface, but even if so, there are ways around this...
    Using Port Protected, all hosts can be in the one Subnet, and the ONLY
    path between those hosts being via the Layer 2 exit point, which can
    then control traffic between the Protected hosts using an ACL. At the
    bottom end you do not need a trunk at all, and the only VLAN can be
    the "default" one if you wish.

    Basically, what Port Protected does is prevent ARP's from a Protected
    Port being seen by any other Protected Port on that segment EXCEPT
    from the un-Protected Port (containing the Layer 3 device), so Layer 3
    device then proxy ARP's for the target MAC.
    Not at all, what you appear to be looking for (if I understand the
    question correctly) is something quite "normal".
    The main issue in doing this is ensuring that capacity exists to
    handle traffic volume for all this traffic flow, remembering that ALL
    traffic goes both in and out just one Port.

    Good luck.............pk.
    Peter, May 7, 2005
    1. Advertisements

  3. tcollicutt

    tcollicutt Guest

    Ok, That is pretty much what I expected.

    Second situation.

    Floor switches : 2950s

    Core switch: 6509 (8.2) with MSFC

    Can I set up private VLANs on a 6509, and then assign ports on the
    2950 to that VLAN. or are private VLANs assigned on a switch by switch
    tcollicutt, May 10, 2005
  4. tcollicutt

    Peter Guest

    A PVLAN transits a Trunk port just like a normal VLAN, so yes, you can
    spread PVLAN's between switches if you wish.

    Peter, May 11, 2005
  5. tcollicutt

    tcollicutt Guest


    Thanks a lot :)
    tcollicutt, May 12, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.