private vlans

Unanswered Question
Jun 8th, 2009


i'm looking into setting up a firewall interface onto a switch where i intend to have several different kinds of hosts

this will consist of sql servers from different companies and i want to separate them using private vlans, i.e. a vlan for each company

my assumption is that vlan separation will prevent the hosts from talking to each other but i'm looking for your views

- can traffic bypass the firewall

interface and jump from vlan to vlan

- can trunk ports facilitate such traffic

- do private vlans eliminate vlan

tagging etc

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 06/09/2009 - 08:15


"can traffic bypass the firewall

interface and jump from vlan to vlan"

Not if the only port that is a promiscuous port is the firewall interface. But you still need an acl on that interface to stop a sql server from one company communicating with an sql server from another company ie. private vlans would stop them communicating with each other at L2 but they could still communciate at L3 via the promiscuous port unless you use an acl.

"can trunk ports facilitate such traffic" - not sure what you mean. Trunks will carry the vlan information and also any secondary vlan information for the private vlans.

"do private vlans eliminate vlan

tagging etc" - no not on a trunk link as there would then be no way for switches to distinguish between vlans otherwise.

So all the companies sql servers are from the same IP subnet ?

There are alternatives to what you are proposing if you need full separation -

1) Use subinterfaces on your firewall and allocate sql servers into different IP subnets

Following on from 1) you could one step further and use VRF-lite (if your switch supported it) and this provides complete separation at the control plane as well.

2) Use a context for each customer. You would obviously need context licenses on your firewall for this, if your firewall indeed supports contexts.

Generally speaking unless you have an IP addressing issue i would look to deply different companies data on different vlans/subnets ie. each company has it's own dmz. Less prone to configuration errors.


mulhollandm Tue, 06/09/2009 - 13:00


many thanks for your reply, its greatly appreciated

i'm using a juniper firewall and i'm undecided on whether to use subinterfaces, each with its own IP subnet, or to use a single IP subnet and then implement private vlans on a couple of 3560E switch (can pvlans run other several switches?)

thanks again for your help, it gives me more to think about

Jon Marshall Tue, 06/09/2009 - 13:14


"(can pvlans run other several switches?)"

Do you mean can pvlans run across several switches. If so yes they can as trunks will carry this information.

If you have the IP addressing available i would prefer the subinterface approach to be honest.



This Discussion