03-24-2010 10:37 AM - edited 03-06-2019 10:17 AM
Hey guys,
I think I'm losing my mind here, so I need a hand.
Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:
Host A: 1.1.1.5/24 -- isolated
Host B: 1.1.1.200/24 -- isolated
SVI: 1.1.1.1/24 -- promiscuous
Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.
Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).
My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?
Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.
I hope this made sense.
Thanks!
03-24-2010 10:43 AM
tdistlists wrote:
Hey guys,
I think I'm losing my mind here, so I need a hand.
Say we have two hosts on the same isolated private vlan. There is also a promiscuous SVI for that vlan. So:
Host A: 1.1.1.5/24 -- isolated
Host B: 1.1.1.200/24 -- isolated
SVI: 1.1.1.1/24 -- promiscuous
Now, when everything is normal, Host A cannot talk to Host B directly, but both can talk to the SVI.
Let's say someone goes and changes the subnet mask of Host A to /25. This will force the host to send traffic with destination of 1.1.1.200 to the SVI (because it's not within his subnet).
My question is, what will the SVI/router do with this traffic. Will it route it back "down" the same vlan it came in -- thus bypassing pvlan security, or will it drop the traffic?
Assuming it does route the traffic, I know Host B will attempt to respond to Host A directly, but at this point I would consider this a breach.
I hope this made sense.
Thanks!
It does make sense and i haven't tested this for a while but from memory yes the traffic will indeed be routed back to Host B by the L3 vlan interface. This is why even with private vlans it is recommended to use access-lists on the L3 SVI to stop this sort of thinh happening.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
03-24-2010 10:54 AM
Thanks so much Jon.
Assuming I only want to block this sort of thing, would the ACL be as simple as:
deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip any any
It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.
Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?
I think we'd have to make exceptions for EIGRP/HSRP as well.
Thanks again!
03-24-2010 11:20 AM
tdistlists wrote:
Thanks so much Jon.
Assuming I only want to block this sort of thing, would the ACL be as simple as:
deny ip 1.1.1.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip any any
It seems akward to put the same source/destination address, but we've typically been using firewalls as the L3 gateway for pvlans. Now that we're using a router, I guess we have to use the ACL as well.
Would this ACL go "in" or "out" of the vlan? Or both directions to be safer?
I think we'd have to make exceptions for EIGRP/HSRP as well.
Thanks again!
Yes the acl is that simple and you would apply it inbound on the vlan interface. And yes you will need to make exceptions for HSRP/EIGRP etc.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: