cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
5
Helpful
3
Replies

Pvlan SVI (routing behavior)

tdistlists
Level 1
Level 1

Hey guys,

I think I'm losing my mind here, so I need a hand.

Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:

Host A: 1.1.1.5/24 -- isolated

Host B: 1.1.1.200/24 -- isolated

SVI: 1.1.1.1/24 -- promiscuous

Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.

Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).

My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?

Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.

I hope this made sense.

Thanks!

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

tdistlists wrote:

Hey guys,

I think I'm losing my mind here, so I need a hand.

Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:

Host A: 1.1.1.5/24 -- isolated

Host B: 1.1.1.200/24 -- isolated

SVI: 1.1.1.1/24 -- promiscuous

Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.

Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).

My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?

Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.

I hope this made sense.

Thanks!

It does make sense and i haven't tested this for a while but from memory yes the traffic will indeed be routed back to Host B by the L3 vlan interface. This is why even with private vlans it is recommended to use access-lists on the L3 SVI to stop this sort of thinh happening.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Thanks so much Jon.

Assuming I only want to block this sort of thing, would the ACL be as simple as:

deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255

permit ip any any

It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.

Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?

I think we'd have to make exceptions for EIGRP/HSRP as well.

Thanks again!

tdistlists wrote:

Thanks so much Jon.

Assuming I only want to block this sort of thing, would the ACL be as simple as:

deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255

permit ip any any

It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.

Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?

I think we'd have to make exceptions for EIGRP/HSRP as well.

Thanks again!

Yes the acl is that simple and you would apply it inbound on the vlan interface. And yes you will need to make exceptions for HSRP/EIGRP etc.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: