1 / 16

Designing VLANs in Networks

Designing VLANs in Networks. Scalable Security in a Multi-Client Environment - Private VLANs. VLANs: Review. VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2.

ena
Download Presentation

Designing VLANs in Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Designing VLANs in Networks Scalable Security in a Multi-Client Environment - Private VLANs

  2. VLANs: Review • VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. • Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. • Regular VLANs usually correspond to a single IP subnet.

  3. Typical ISP Network Infrastructure

  4. ISP Networks If an ISP needs a VLAN to be connected to several customer sites, and each customer site needs to reach the ISP's VLAN but not each other's, which is the best design choice for the customer site VLANs

  5. Security Concerns on sharing a VLAN • Companies can either host their servers in their own premises or they can locate their servers at the Internet Service Provider's premises. • A typical ISP would have a server farm that offers web-hosting functionality for a number of customers. • Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concerns • Problem: Servers can establish Layer 2 communication • Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. • Problem: subscriber next door could very well be a malicious network user

  6. Solution – ISP Problem • Assign a separate VLAN to each customer. • Each user would be assured of Layer 2 isolation from devices belonging to other users. • Problem: • Scalability • Maximum (theoretical) 4096-4 = 4092 VLANs possible • Potential Wastage of IP addresses in each subnet • Each VLAN needs a subnet, and two addresses are wasted per subnet

  7. Private VLANs • Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. • The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains, introducing sub-VLANs inside a VLAN • Device isolation is achieved by applying Layer 2 forwarding constraints that allow: • End devices to share the same IP subnet while being Layer 2 isolated. • Use of larger subnets reducing address management overhead.

  8. Private VLANS • Two special sub-domains specific to the private VLANs technology are defined: • Isolated sub-domain and • Community sub-domain. • Each sub-domain is defined by assigning a proper designation to a group of switch ports. • Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the • 2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.

  9. PVLAN Domain • A private VLAN domain is built with at least one pair of VLAN IDs: • One (and only one) primary VLAN ID (Vp) plus • One or more secondary VLAN IDs (Vs). • Secondary VLANs can be of two types: • isolated VLANs (Vi) or • all hosts connected to its ports are isolated at Layer 2. • community VLANs (Vc). • A community VLAN is a secondary VLAN that is associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships. • A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.

  10. Port Designations in PVLAN • Three separate port designations exist. • Each port designation has its own unique set of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain. • The three port designations are: • Promiscuous, • Isolated, and • Community.

  11. R1 PVLAN- Port Definitions 192.168.10.2/24 Fa0/2 Secondary VLAN 10 (Community) Yes Fa0/3 192.168.10.3/24 192.168.10.4/24 Fa0/4 192.168.10.1/24 Secondary VLAN 30 (Isolated) Fa0/1 No No Primary VLAN 100 (Promiscuous) Fa0/5 192.168.10.5/24 192.168.10.6/24 Fa0/6 Secondary VLAN 20 (Community) Yes Fa0/7 192.168.10.7/24

  12. Example PVLAN Primary VLAN 1000 has : Secondary VLAN s VLAN 1012 – Community VLAN VLAN 1034 – Community VLAN VLAN 1055 – Isolated VLAN

  13. Private VLAN Configuration Create Private VLANs: • DLS2(config)#vtp mode transparent • DLS2(config)#vlan 10 • DLS2(config-vlan)#private-vlan community • DLS2(config)#vlan 20 • DLS2(config-vlan)#private-vlan community • DLS2(config)#vlan 30 • DLS2(config-vlan)#private-vlan isolated • DLS2(config-vlan)#exit • DLS2(config)#vlan 100 • DLS2(config-vlan)#private-vlan primary • DLS2(config-vlan)#private-vlan association 10,20,30

  14. Private VLAN Configuration Populate Private VLANs: • DLS2(config)#int fa0/1 • DLS2(config)# switchport mode private-vlan promiscuous • DLS2(config)# switchport private-vlan mapping 100 10,20,30 • DLS2(config)# int fa0/2 • DLS2(config)# switchport mode private-vlan host • DLS2(config)# switchport private-vlan host-association 100 10 Verify Private VLANs: S1#show vlan private-vlan S1#show interface switchport fa0/2

  15. Advantages of PVLANs • Provides Security • Reduces the number of IP subnets • Reduces the VLANs’ utilisation by isolating traffic between network devices residing in the same VLAN

  16. Useful Links • RFC 5517 • Private VLANs • Comprehensive analysis of various security threats and their mitigation techniques for a medium-size ISP

More Related