Isolating Traffic inside a VLAN Using Private VLANs
In the article VACL – VLAN Access Lists we mention one way how to provide security on switch device like Cisco Catalyst switch. In this article we will see the other way of providing security with use of private VLANs – PVLAN.
The whole idea is to make possible to group VLANs inside the VLANs. You see from the picture here on the right that this will give you the opportunity to make group od computers or servers inside main (primary) VLAN. It will be possible to have two servers in the VLAN 10 and both of them on the same subnet. Here it becomes little bit strange, then they can be separated into two Secondary VLANs, VLAN 4 and VLAN 5.
If you are interested in the PVLAN configuration: PVLAN configuration article
Ports on the switch on which they are connected are Isolated ports and that means that they are not able to communicate between them. The only thing that the isolated port can reach is promiscuous port and that port is configured on the way to the router. In this case we have the ability to connect from every server to the Internet or some other LAN on the router but the servers are separated and can not communicate between them although they are in the same subnet and in the same Primary VLAN.
More about the same
With PVLAN you can group Layer 2 ports of your switch into some kind of domain. It’s a situation in which basically you can group the groups of ports. You usually group Layer 2 ports into VLAN and then they are acting like separate switch ports considering other ports on the same switch. In this case you have a PVLAN domain in which you need to have communication between two VLANs. It is done so that one VLAN is primary VLAN and you have additional VLANs that are secondary VLANs in that domain. The domain provides isolation between ports in a PVLAN domain.
In the case of Cisco Catalyst switches, they are supporting two categories of secondary VLANs:
- Isolated VLANs: Ports belonging to an isolated VLAN don’t have Layer 2 connectivity between one another. This means that any switch ports associated with an isolated VLAN can communicate with the primary VLAN but not any other secondary VLAN. It also means that hosts associated with the same isolated VLAN cannot reach each other. They are isolated from everything except the primary VLAN, from there’s their name.
- Community VLANs: Ports belonging to a community VLAN can communicate with one another, but not with ports in other community VLANs.
There are three different kinds of PVLAN ports:
- Promiscuous – Promiscuous ports typically are used to communicate with network devices (for example, routers or backup servers). These ports can communicate with all other PVLAN ports. You can say that promiscuous port can communicate with anything else connected to the primary or any secondary VLAN. The port is in promiscuous mode, in which the rules of private VLANs are ignored.
- Isolated – Isolated ports can communicate with only promiscuous ports.
- Community – Community ports can communicate with other ports in their community and also with promiscuous ports.
Where is this used?
In most cases it is enough to have the capability to segment traffic within a single VLAN, without use of multiple VLANs and a router. But sometimes the things can get more complicated and single VLAN will not be the best choice. Let’s say that you are managing a single VLAN server farm. In this case all servers should be capable of communicating with the router or gateway to be able to go on the WAN, but it is not good to have all these servers listening each other’s broadcast traffic. Servers can be in the same server farm but each of them can be rented or owned by a separate organization. For security and privacy reasons each server should be isolated from the others but still be capable of reaching the gateway to find clients not on the local network. Ups, how to do that?
Here’s a second example. You are some kind of service provider. As a provider, you might want to have a single VLAN to connect to several customer networks. Each customer needs to be able to connect to your gateway on the VLAN. Clearly, the customer sites do not need to interact with each other. Ups, how to do that?
Private VLANs solve this problem.
A normal (primary) VLAN can be logically associated with special unidirectional, or secondary, VLAN. Hosts associated with a secondary VLAN can communicate with ports on the primary VLAN like a router gateway, but not with another secondary VLAN. A secondary VLAN is configured as Isolated or Community like we said before in the text.
It is important to mention that VTP – VLAN Trunking Protocol does not pass any information about the private VLAN configuration. For that reason private VLANs are only locally significant to a switch. Each of the private VLANs must be configured locally on each. You must configure each physical switch port that uses a private VLAN with a VLAN association. You also must define the port as Promiscuous or Host
Host switch port connects to a regular host that is placed on an isolated or community VLAN. The port communicates only with a promiscuous port or ports on the same community VLAN.