Pvlan SVI (routing behavior)

Unanswered Question
Mar 24th, 2010

Hey guys,


I think I'm losing my mind here, so I need a hand.


Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:


Host A: 1.1.1.5/24 -- isolated

Host B: 1.1.1.200/24 -- isolated

SVI: 1.1.1.1/24 -- promiscuous


Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.


Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).


My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?


Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.


I hope this made sense.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Wed, 03/24/2010 - 10:43

tdistlists wrote:


Hey guys,


I think I'm losing my mind here, so I need a hand.


Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:


Host A: 1.1.1.5/24 -- isolated

Host B: 1.1.1.200/24 -- isolated

SVI: 1.1.1.1/24 -- promiscuous


Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.


Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).


My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?


Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.


I hope this made sense.


Thanks!


It does make sense and i haven't tested this for a while but from memory yes the traffic will indeed be routed back to Host B by the L3 vlan interface. This is why even with private vlans it is recommended to use access-lists on the L3 SVI to stop this sort of thinh happening.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

tdistlists Wed, 03/24/2010 - 10:54

Thanks so much Jon.


Assuming I only want to block this sort of thing, would the ACL be as simple as:


deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255

permit ip any any


It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.


Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?


I think we'd have to make exceptions for EIGRP/HSRP as well.


Thanks again!

Jon Marshall Wed, 03/24/2010 - 11:20

tdistlists wrote:


Thanks so much Jon.


Assuming I only want to block this sort of thing, would the ACL be as simple as:


deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255

permit ip any any


It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.


Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?


I think we'd have to make exceptions for EIGRP/HSRP as well.


Thanks again!


Yes the acl is that simple and you would apply it inbound on the vlan interface. And yes you will need to make exceptions for HSRP/EIGRP etc.


Jon

Actions

This Discussion