Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
5
Replies

private vlans

mulhollandm
Level 1
Level 1

‎06-08-2009 02:22 PM - edited ‎03-09-2019 10:21 PM

folks

i'm looking into setting up a firewall interface onto a switch where i intend to have several different kinds of hosts

this will consist of sql servers from different companies and i want to separate them using private vlans, i.e. a vlan for each company

my assumption is that vlan separation will prevent the hosts from talking to each other but i'm looking for your views

- can traffic bypass the firewall

interface and jump from vlan to vlan

- can trunk ports facilitate such traffic

- do private vlans eliminate vlan

tagging etc

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎06-09-2009 08:15 AM

Michael

"can traffic bypass the firewall

interface and jump from vlan to vlan"

Not if the only port that is a promiscuous port is the firewall interface. But you still need an acl on that interface to stop a sql server from one company communicating with an sql server from another company ie. private vlans would stop them communicating with each other at L2 but they could still communciate at L3 via the promiscuous port unless you use an acl.

"can trunk ports facilitate such traffic" - not sure what you mean. Trunks will carry the vlan information and also any secondary vlan information for the private vlans.

"do private vlans eliminate vlan

tagging etc" - no not on a trunk link as there would then be no way for switches to distinguish between vlans otherwise.

So all the companies sql servers are from the same IP subnet ?

There are alternatives to what you are proposing if you need full separation -

1) Use subinterfaces on your firewall and allocate sql servers into different IP subnets

Following on from 1) you could one step further and use VRF-lite (if your switch supported it) and this provides complete separation at the control plane as well.

2) Use a context for each customer. You would obviously need context licenses on your firewall for this, if your firewall indeed supports contexts.

Generally speaking unless you have an IP addressing issue i would look to deply different companies data on different vlans/subnets ie. each company has it's own dmz. Less prone to configuration errors.

Jon

0 Helpful

mulhollandm
Level 1
Level 1
In response to Jon Marshall

‎06-09-2009 01:00 PM

jon

many thanks for your reply, its greatly appreciated

i'm using a juniper firewall and i'm undecided on whether to use subinterfaces, each with its own IP subnet, or to use a single IP subnet and then implement private vlans on a couple of 3560E switch (can pvlans run other several switches?)

thanks again for your help, it gives me more to think about

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mulhollandm

‎06-09-2009 01:14 PM

Michael

"(can pvlans run other several switches?)"

Do you mean can pvlans run across several switches. If so yes they can as trunks will carry this information.

If you have the IP addressing available i would prefer the subinterface approach to be honest.

Jon

0 Helpful

mulhollandm
Level 1
Level 1
In response to Jon Marshall

‎06-09-2009 01:16 PM

many thanks jon

again, greatly appreciated

0 Helpful

mulhollandm
Level 1
Level 1
In response to Jon Marshall

‎06-09-2009 01:17 PM

many thanks jon

again, greatly appreciated

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents