security problem on private vlan

CHN · ‎01-22-2008

i saw a paragraph on "Securing Networks with Private VLANs and VLAN Access Control Lists" say,private vlan just can provide protection on L2,not L3.it means that the promiscuous ports can be used to route traffic between the isolated ports.

i just wondering how can make it?sourece routing? or others? anybody can me a explanation?

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml#intro

quote:

"There is a well-known security limitation to PVLANs, which is the possibility that a router forwards traffic back out of the same subnet from which it came. A router can route traffic across isolated ports defeating the purpose of PVLANs. This limitation is due to the fact that PVLANs are a tool that provides isolation at L2, not at Layer 3 (L3)."

Jon Marshall · ‎01-22-2008

Hi

PC1 = 192.168.5.10

PC2 = 192.168.5.11

PC1 & PC2 are connected to isolated ports so they cannot communicate with each other. But they can both communicate with R1 which is the router for that vlan.

PC1 sends a packet with the destination mac-address of R1 interface and a destination IP address of PC2. R1 will receive the packet and route it on to PC2.

The solution is to have an access-list on R1 interface connected to 192.168.5.x subnet

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

HTH

Jon

CHN · ‎01-23-2008

what you say is much like ARP PROXY.I don't know if it can work on local subnet.

Jon Marshall · ‎01-23-2008

Hi

"I don't know if it can work on local subnet"

Cisco seem to think it can

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39271

HTH

Jon