Browsed by
Month: August 2012

Private VLANs (PVLANs)

Private VLANs (PVLANs)

I recently had one of my customers asked about private VLANs and the benefits/use cases. I thought this was a good opportunity to refresh my knowledge of PVLANs because it was a weak area of mine during my last CCIE lab.

What are Private VLANs?

The main objective with PVLANs is conserving IP space, but still allowing L2 separation for security purposes. Typically, VLAN design calls for a single IP subnet for each VLAN. Here we are able to create multiple (secondary VLAN/s) VLANs for isolation, but conserve space by using a single subnet for all the secondary VLANs.

 

Terminology:
Primary VLAN: These are promiscious ports that can send and recieve frames with any other port Type (P-Port,C-Port,I-Port).
Secondary VLAN or VLANs:

  • Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. Only one Isolated VLAN is allowed in one Private VLAN domain.
  • Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain.

Port Types: Promiscuous, Community, Isolated (easy way to remember this is PCI).

What is the use case?
Service Providers with multi-tenant buildings- HSRP Routers, switch, and multiple SMB customers sharing the same public IP space.
Hotel Internet Access- It would be undesired for the guests to see each other.
DMZ- Instead of creating multiple DMZ’s you could isolated the hosts within a DMZ from each other.
Cloud/Co-location Facilities- You want to use the same subnet but restrict traffic between customers/services.

Are there any vulnerabilities or exploits?
Here is the deal, I’ll be the first to say while by design this is not possible. I have found with network/data security to NEVER say NEVER. That being said. I-Ports are not allowed to send frames/IP packets to any other destination other than the P-Port (uplink). So, even if the D-MAC address, or  VLAN ID is changed, it will only flow to the P-port.

KEEP THIS SIMPLE FACT IN MIND. ALL PROTECTION IS AT L2 for PVLANs.
For more infomration on what I’m talking about, take a look at this link describing “Private VLAN attack”.
*** “Local-Proxy-arp” would have to be enabled on the router for the same subnet, “Proxy-Arp” for different subnets. ***
For the best protection make sure you leverage ACL’s to block unnecessary L3 communications between hosts.  

Summary:
If a SP was going to use a separate VLAN ID for every customer we would be limited to 4000+ customers and that would really waste IP space if we were assigning separate subnet to each VLAN like best practice dictates. With PVLANs the broadcast domain of a single VLAN is split into sub-domains (I-ports and C-Ports). What does all this mean? Well for one you block L2 frames (CDP/STP/etc..) from the isolated hosts and are able to scale multi-tenant solutions while conserving IP space.

“If the private VLAN feature is properly deployed, it can be used at
Layer 2 to segregate individual users or groups of users from each
other: this segregation allows a network designer to more effectively
constrain Layer 2 forwarding so as to, for instance, block or contain
unwanted inter-device communication like port scans or Address
Resolution Protocol (ARP) poisoning attacks.” – RFC5517

My Test Configuration:
Private VLANs can ONLY be configured in VTP TRANSPARENT or VTPv3 mode.

VLAN 500 (Primary VLAN P-Port)
VLAN 501 (Secondary VLAN I-Ports)
VLAN 502 (Secondary VLAN C-Ports)
FA0/1 is the promiscuous port with the router attached. 

sw1#sh vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
500 501 isolated Fa0/1, Fa0/31, Fa0/32
500 502 community Fa0/1, Fa0/33, Fa0/34, Fa0/35

sw1#ip routing

vlan 500
private-vlan primary
private-vlan association 501-502
!
vlan 501
private-vlan isolated
!
vlan 502
private-vlan community

interface FastEthernet0/1
switchport private-vlan mapping 500 501-502
switchport mode private-vlan promiscuous

interface FastEthernet0/31
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface FastEthernet0/32
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface FastEthernet0/33
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface FastEthernet0/34
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface FastEthernet0/35
switchport private-vlan host-association 500 502
switchport mode private-vlan host

interface Vlan500
ip address 10.1.1.1 255.255.255.0
private-vlan mapping 501,502 (optional if the SVI is the gateway)

end 

Verify port mapping with “sh vlan private”
Verify isolation with a ping to 255.255.255.255 from each router/host.

References:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml 
http://en.wikipedia.org/wiki/Private_VLAN
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html
http://tools.ietf.org/html/rfc5517