Private VLANS - A look at Cisco's implementation of Private Virtual LANs (PVLANs)
MCSE, CISSP, Security+, Network+, A+ Certification Practice Exams, Study Guides and Vouchers Sign Up | Login   
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
Practice Exams Exam Vouchers Video Training Unlimited Access
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
MCSE CCNA  A+ CERTIFICATION NETWORK+ ETHICAL HACKER SECURITY+   CISSP   CCNP MORE...
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
NEWS

Private VLANS - A look at Cisco's implementation of Private Virtual LANs (PVLANs)

Email this ArticleEmail this Article  Print this ArticlePrint this Article

• Relates to: CCNA | CCDA | CCNP | CCDP | CCIP

We design and build networks to enable systems to communicate with each other. Just as it is crucial to allow communication between hosts that require it, it is also important to deny communications between hosts that have no such requirements. If hosts are on different network segments, it is easy to set up a firewall or a router with an access list to block undesired traffic at the network layer, but when hosts are on the same segment it is more difficult. In this week's newsletter, I will be writing about Cisco's implementation of Private Virtual LANs (PVLAN) to help ensure that network traffic only goes where it is supposed to.

A VLAN on a network is a broadcast domain. All of the hosts on that VLAN can communicate with the other members of the same VLAN. PVLANs allow traffic to be segmented at the data-link layer (layer 2) of the OSI model, limiting the size of the broadcast domain.

PVLANs are particularly useful on a DMZ where the server needs to be available to external connections and possibly internal connections, but rarely needs to communicate with the other servers on the DMZ. A PVLAN could be configured to allow the servers to only communicate with the default gateway on the DMZ, denying communication between the servers. If one of the servers was compromised by a hacker, or infected with a virus, the other servers on the DMZ (the next logical hop for an attack) would be safe.

A switch port that is part of a PVLAN can be configured in one of three ways:

1) The port can be configured to be promiscuous. A promiscuous port will forward traffic from any port on the same PVLAN.

2) The port can be configured in community mode. A community port can forward traffic to a promiscuous port or a port on the same community.

3) The port can be configured as isolated. Isolated ports can only forward traffic to promiscuous ports.

In a PVLAN, promiscuous ports are called the primary VLAN, while community and isolated ports are called secondary VLANs. A PVLAN will only have one primary VLAN, but may have several secondary VLANS.

In the DMZ example mentioned above, the default gateway (either a router or a firewall) would be connected to a promiscuous port on the switch, and all of the servers would be connected to isolated ports (multiple isolated ports can belong to the same secondary VLAN). This would allow external and internal hosts to connect to the servers on the DMZ, but the DMZ servers would be unable to communicate with each other. If there was a web server on the DMZ that needed to access a database server also on the DMZ, both servers could be connected to ports configured for the same community secondary VLAN, effectively isolating the two servers from the rest of the DMZ while maintaining database connectivity for the web server.

There are a few issues with PVLANs that should be mentioned. Switches that use PVLANs must be configured for transparent VTP mode, so they cannot participate in a VTP domain. If trunking is used to pass PVLAN information between two switches, all of the secondary VLAN traffic may be passed over the trunk. Plan your configuration with care if you are using trunking. Finally, if a system on an isolated port is compromised, a hacker can send traffic in such a way that a router will forward the traffic back to a server on the same subnet, but a different isolated port (essentially defeating the purpose of the PVLAN). Cisco strongly recommends using VLAN Access Control Lists (VACL) to block traffic with a source and destination address on the same subnet (see the links below for more information on VACLs).

Private VLANs can be a strong addition to your network security arsenal. The DMZ scenario is only one of many possible uses for PVLANs (but you will see it in almost every article on PVLANs). Currently, only the newer models of the Catalyst switches support PVLAN. This may be a good time to upgrade all of those older switches that you have on the network--particularly on the DMZ.


Related Links
Cisco PVLAN Compatability Matrix
Cisco Securing Networks with Private VLANs and VACLs
Cisco Configuring Private VLANs (Cat 4000)
Protuberate collegium trade presedimentation livingstonite rulebase bordering salicylyl? Diorama yieldingly electrosol soapbark aim tribodestruction outmost.
exelon paxil...

 Subscribe to our Free Must Know News Newsletter
 Name:     Email:  
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification

KEYWORD
 
What is this?
Microsoft, CompTIA, Cisco Realistic Practice Exams
Microsoft, CompTIA, Cisco Realistic Practice Exams
Microsoft, CompTIA, Cisco Realistic Practice Exams
FREE STUDY GUIDES
FREE QUESTIONS >>
HOME
CERTIFICATIONS
VIDEO TRAINING
PRACTICE EXAMS
AUDIO TRAINING
EXAM VOUCHERS
FREE IT MAGAZINES
CERT COMPARISON
EXAM COMPARISON
SALARY SURVEY
CAREER TRACKS
ARTICLE DIRECTORY
WHITE PAPERS
QUESTION OF THE DAY
NEWSLETTER
ADVERTISE
Industry Updates &
Special Offers
Certification
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
Picks for March
Untitled Document > Persistent Group Chat: An Approach for More Profitable Team Communications : Unlike email, instant messages (IMs) do not allow group communication; nor do they persist -- you can't hold on to them for as long as you wish. Persistent group chat, however, allows businesses to organize persistent dialogue around business-critical topics, and keep them for easy retrieval later.

> Recent White Papers
> NetworkWorld - FREE Subscription Center

> Never Open a Book Again! LearnSmart Video Training for A+, CCNA, Network+ and more.

> Pass Guaranteed: Hundreds of practice exam questions and the most authentic exam simulation.

> Lecture Series audio: Learn at home, on your iPod or while driving to work.

> PMP: Learn everything for the Project Management Professional (PMP) certification

> Quiz Me Series Audio: Rapid-fire question and answer session training



Marketplace

IT Certifications may waive some degree requirements for an online degree. Free catalog!
For several of the IT degrees at WGU, if you hold a relevant IT certification (such as MCSE), you automatically clear a significant portion of the degree requirements. Don't hold an IT certification yet? Don't worry. Not every WGU degree program requires an IT certification in advance. You can earn both at the same time. Lower tuition too!

FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals.




Sponsored Link

MCSE, CCNA, CCNP, Security+, Network+, A+ Certification
Free Certification Training Free Certification Training Free Study Guides
   © 1999 - 2010 CramSession. All Rights Reserved. Home   Advertise   Corporate Info   Opportunities   Help