Solved: Private vlans - L3 communication question

jigsaw2026 · ‎09-03-2007

hello,

Probably a stupid question here but I am having difficulty getting my head around this....

I have read a lot of Cisco documentation about PVLANS and they all say the following or similar:

"Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other

at Layer 3."

And you have to implement VACLs so to stop hosts in different community vlans talking to each other via the router. But what I don't understand is how this scenario would happen. How would traffic from one host attempt to be L3/routed to another host on the same subnet?

Any help much appreciated, thank you.

J

Francois Tallet · ‎09-03-2007

I guess your question is "why a host would go through a router to reach another host on the same subnet?".

There is a feature call local-proxy-arp (I'm not sure it's enabled on promiscuous ports) that will have the router answer to arp requests local to the subnet. This will allow indeed hosts within the same subnet to communicate through the router.

Also, it's not because two hosts are in the same private vlan (or the same vlan btw) that they are necessarily in the same IP subnet. You can have several different subnets configured on the same L3 interface (with secondary commands), or there might be several vlan interface (or several promiscuous ports) on the vlan, each with a different subnet configured. This would also allow make (a relatively artificial) case where hosts on the same private vlan communicate at L3.

Regards,

Francois

View solution in original post

nambi_gct · ‎09-03-2007

Let us say we have two isolated ports A & B.With PVLANs you can not communicate between these two ports.But they can communicate through promiscous port(Let us say X).In other words to reach B from A all you need to do is to add a static route statement that points to promiscous IP address.Hope this clarifies.

jigsaw2026 · ‎09-03-2007

Thank you for your reply, but this is not what I mean. A well documented restriction of PVLANs is that hosts can apparently still communicate via layer 3, I would like to know how this is possible.

Thanks,

J

nambi_gct · ‎09-03-2007

Hi, I would like to understand the question better.I hope you agree that, with PVLAN configured, certain hosts can not communicate with each other though they are in a same subnet.

My understanding of your question is how do these hosts communicate with each other via L3?

If this is correct, the answer is to add a static route statement though the destination is in the same subnet.the next hop IP in this statement points to the promiscous port IP.

jigsaw2026 · ‎09-03-2007

Hi,

Apologies for not making myself clearer...please see:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39271

Hopefully that helps.

Thank you.

J

Francois Tallet · ‎09-03-2007

I guess your question is "why a host would go through a router to reach another host on the same subnet?".

There is a feature call local-proxy-arp (I'm not sure it's enabled on promiscuous ports) that will have the router answer to arp requests local to the subnet. This will allow indeed hosts within the same subnet to communicate through the router.

Also, it's not because two hosts are in the same private vlan (or the same vlan btw) that they are necessarily in the same IP subnet. You can have several different subnets configured on the same L3 interface (with secondary commands), or there might be several vlan interface (or several promiscuous ports) on the vlan, each with a different subnet configured. This would also allow make (a relatively artificial) case where hosts on the same private vlan communicate at L3.

Regards,

Francois

rajatsetia · ‎09-03-2007

Hi,

I hope following text (from SAFE Enterprise Layer 2 Addendum) will give you a better picture of statement "Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3" :-

Private VLAN Attacks

While private VLANs are a common mechanism to restrict communications between systems on the same logical IP

subnet, they are not a full-proof mechanism. Private VLANs work by limiting the ports within a VLAN that can

communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with

promiscuous ports. Community ports can communicate only with other members of the same community and

promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing

the network security of private VLANs involves the use of a proxy to bypass access restrictions to a private VLAN.

Proxy Attack?In this network attack against private VLANs, frames are forwarded to a host on the network

connected to a promiscuous port such as a router.

In Attached Figure, the network attacker sends a packet with the source-IP

and MAC address of his or her device, a destination IP address of the target system, but a destination MAC address

of the router. The switch forwards the frame to the router?s switch port. The router routes the traffic, rewrites the

destination MAC address as that of the target, and sends the packet back out.

Now the packet has the proper format

as shown in Figure and is forwarded to the target system. This network attack allows only for unidirectional traffic because any attempt by the target to send traffic back will be blocked by the private VLAN configuration. If both

hosts are compromised, static ARP entries could be used to allow bidirectional traffic. This scenario is not a private

VLAN vulnerability because all the rules of private VLANs were enforced; however, the network security was

bypassed.

HTH

rgds

jigsaw2026 · ‎09-04-2007

I understand now, thanks to everyone for their help - much appreciated.