Private VLAN basic question

Unanswered Question
Aug 25th, 2008

Hi friends,

I have a basic question on Communication between two different community vlans.

If i have a switch called S with two community vlans viz. A and B and two promiscious ports connecting to a non-Cisco switch (that does not understand private vlans). Can this non-Cisco switch achieve communication between two distint community vlans? Or do i need only a Layer 3 device to achieve inter-community vlan communication?

Thanks a lot

Gautam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
misramanish Mon, 08/25/2008 - 11:05

Hi Gautam,

While all the switches (Cisco or not) can pass traffic to each other for their respective VLAN's, to my knowledge you will require a Layer 3 device to pass data between VLANs, whether Cisco or otherwise.

Hope this helps!

Giuseppe Larosa Mon, 08/25/2008 - 11:16

Hello Gautam,

if the non Cisco switch is a L2 only switch being the community vlans different vlan numbers it will not create a backdoor between them: they are separate broadcast domains.

If it has L3 capabilities it could provide a way to an attacker to get access from one community vlan to the other.

However, a L2 switch has at least a management IP avoid to have it in the private vlans' IP subnet.

If it allows inter-vlan bridging like it is possible on a C3550 or other switch it can be configured to make a bridge so defeating the private Vlans deployment.

If someone connects with a crossover cable one port in vlan x and one port in vlan y on the L2 standard switch the same result is achieved of defeating the private vlans.

Being vlan x and y the two community vlans.

So disable all the unused ports and put them on a non routed vlan.

Private Vlans try to segment a single IP subnet in multiple broadcast domains under the control of the switch.

A l3 device cannot have overlapping ip addresses on different L3 interfaces.

Hope to help

Giuseppe

sushant.u Mon, 09/06/2010 - 02:52

Hi Giuseppe,

I have one mroe question, if we configure separte private vlan as community VLAN for example 346 and 355 and connect two differnt devices to a primary vlan 309 which is Layer vlan, will vlan 346 and vlan 355 will be able to communicate to each other.

As i was goning throug the CISCO doc and came across the following line which says community vlan is doing isolation at layer 2 but allow communication at layer 2. This statement is very ambigious to me. . As without layer 2 information how there will be communication at layer 3.

Although private VLANs provide host isolation at Layer 2, hosts can communicate with each other at Layer 3.

Please suggest

Regards

Sushant

Actions

This Discussion