09-03-2007 07:06 AM - edited 03-05-2019 06:15 PM
hello,
Probably a stupid question here but I am having difficulty getting my head around this....
I have read a lot of Cisco documentation about PVLANS and they all say the following or similar:
"Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other
at Layer 3."
And you have to implement VACLs so to stop hosts in different community vlans talking to each other via the router. But what I don't understand is how this scenario would happen. How would traffic from one host attempt to be L3/routed to another host on the same subnet?
Any help much appreciated, thank you.
J
Solved! Go to Solution.
09-03-2007 08:16 PM
I guess your question is "why a host would go through a router to reach another host on the same subnet?".
There is a feature call local-proxy-arp (I'm not sure it's enabled on promiscuous ports) that will have the router answer to arp requests local to the subnet. This will allow indeed hosts within the same subnet to communicate through the router.
Also, it's not because two hosts are in the same private vlan (or the same vlan btw) that they are necessarily in the same IP subnet. You can have several different subnets configured on the same L3 interface (with secondary commands), or there might be several vlan interface (or several promiscuous ports) on the vlan, each with a different subnet configured. This would also allow make (a relatively artificial) case where hosts on the same private vlan communicate at L3.
Regards,
Francois
09-03-2007 07:18 AM
Let us say we have two isolated ports A & B.With PVLANs you can not communicate between these two ports.But they can communicate through promiscous port(Let us say X).In other words to reach B from A all you need to do is to add a static route statement that points to promiscous IP address.Hope this clarifies.
09-03-2007 08:01 AM
Thank you for your reply, but this is not what I mean. A well documented restriction of PVLANs is that hosts can apparently still communicate via layer 3, I would like to know how this is possible.
Thanks,
J
09-03-2007 08:18 AM
Hi, I would like to understand the question better.I hope you agree that, with PVLAN configured, certain hosts can not communicate with each other though they are in a same subnet.
My understanding of your question is how do these hosts communicate with each other via L3?
If this is correct, the answer is to add a static route statement though the destination is in the same subnet.the next hop IP in this statement points to the promiscous port IP.
09-03-2007 08:31 AM
Hi,
Apologies for not making myself clearer...please see:
Hopefully that helps.
Thank you.
J
09-03-2007 08:16 PM
I guess your question is "why a host would go through a router to reach another host on the same subnet?".
There is a feature call local-proxy-arp (I'm not sure it's enabled on promiscuous ports) that will have the router answer to arp requests local to the subnet. This will allow indeed hosts within the same subnet to communicate through the router.
Also, it's not because two hosts are in the same private vlan (or the same vlan btw) that they are necessarily in the same IP subnet. You can have several different subnets configured on the same L3 interface (with secondary commands), or there might be several vlan interface (or several promiscuous ports) on the vlan, each with a different subnet configured. This would also allow make (a relatively artificial) case where hosts on the same private vlan communicate at L3.
Regards,
Francois
09-03-2007 11:03 PM
Hi,
I hope following text (from SAFE Enterprise Layer 2 Addendum) will give you a better picture of statement "Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3" :-
Private VLAN Attacks
While private VLANs are a common mechanism to restrict communications between systems on the same logical IP
subnet, they are not a full-proof mechanism. Private VLANs work by limiting the ports within a VLAN that can
communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with
promiscuous ports. Community ports can communicate only with other members of the same community and
promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing
the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN.
Proxy Attack?In this network attack against private VLANs, frames are forwarded to a host on the network
connected to a promiscuous port such as a router.
In Attached Figure, the network attacker sends a packet with the source-IP
and MAC address of his or her device, a destination IP address of the target system, but a destination MAC address
of the router. The switch forwards the frame to the router?s switch port. The router routes the traffic, rewrites the
destination MAC address as that of the target, and sends the packet back out.
Now the packet has the proper format
as shown in Figure and is forwarded to the target system. This network attack allows only for unidirectional traffic because any attempt by the target to send traffic back will be blocked by the private VLAN configuration. If both
hosts are compromised, static ARP entries could be used to allow bidirectional traffic. This scenario is not a private
VLAN vulnerability because all the rules of private VLANs were enforced; however, the network security was
bypassed.
HTH
rgds
09-04-2007 01:37 AM
I understand now, thanks to everyone for their help - much appreciated.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: