Layer 2 Security - Private VLANs (the Story Continues ...), (Wed, May 12th)
Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done?
Not a chance - we haven't talked about Private VLANs yet!
A VLAN is often defined as a broadcast domain, and in most cases is co-incides with an IP subnet. Private VLANs (also called PVLANs) are the exception to this, a Private VLAN is still usually a single IP subnet, but the broadcast domain definition no longer holds true.
In a private VLAN, you start by defining an uplink port (also called a promiscuous port). This is normally the port (or link aggregation group) that is attached to the uplink router(s), firewall(s), provider network or server(s). After that is set, you define isolated ports. Any frame received on a isolated port is forwarded only out the uplink port, no matter what destination MAC or IPaddress it might have. This includes ARP traffic or any broadcast traffic. Frames received on the promiscuous port are then forwarded in the usual way - ARPs, Broadcasts and all other layer 2 frames work as you would expect them to.
So what this means is that isolated ports in a Private VLAN cannot speak to each other at all - their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN.
The concept of private ports can be expanded to include larger port groups - this concept is called community ports. Community ports can speak to each other via layer 2 just like a regular vlan, but are separated from ports in other communities, and from isolated ports.
Typical applications for private VLANs might be in a Colocation Facility or public or private IaaS network (Infrastructure as a Service Cloud), where you might have several customers using the same subnet, but communications between the customers is not desirable as it would circumvent their firewalls. This might also be used on a DMZ, where you might want to restrict communications between DMZhosts, but it's not worth the effort or cost of creating a separate DMZfor each host. Another common use for Private VLANs might be in a hotel situation, where each hotel room has internet access, all are on the same subnet, but communications between the rooms is not desired (for obvious reasons.)
This diary touches on only the most basic concepts of Private VLANs - I won't get into the specifics of the configuration, as they vary quite a bit between various vendors' gear. Also be aware that this covers only the most basic of PVLANconcepts - there's enough material in this for a good few hundred pages, if you were writing a book on Layer 2/3 Switching and Security for instance
As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the comment link.
=============== Rob VandenBrink Metafore ===============
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.