security problem on private vlan

Unanswered Question
Jan 22nd, 2008
User Badges:

i saw a paragraph on "Securing Networks with Private VLANs and VLAN Access Control Lists" say,private vlan just can provide protection on L2,not means that the promiscuous ports can be used to route traffic between the isolated ports.

i just wondering how can make it?sourece routing? or others? anybody can me a explanation?


"There is a well-known security limitation to PVLANs, which is the possibility that a router forwards traffic back out of the same subnet from which it came. A router can route traffic across isolated ports defeating the purpose of PVLANs. This limitation is due to the fact that PVLANs are a tool that provides isolation at L2, not at Layer 3 (L3)."

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 01/22/2008 - 20:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


PC1 =

PC2 =

PC1 & PC2 are connected to isolated ports so they cannot communicate with each other. But they can both communicate with R1 which is the router for that vlan.

PC1 sends a packet with the destination mac-address of R1 interface and a destination IP address of PC2. R1 will receive the packet and route it on to PC2.

The solution is to have an access-list on R1 interface connected to 192.168.5.x subnet

access-list 101 deny ip

access-list 101 permit ip any any



CHN@.1984 Wed, 01/23/2008 - 17:14
User Badges:

what you say is much like ARP PROXY.I don't know if it can work on local subnet.


This Discussion