Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

private vlans

folks

i'm looking into setting up a firewall interface onto a switch where i intend to have several different kinds of hosts

this will consist of sql servers from different companies and i want to separate them using private vlans, i.e. a vlan for each company

my assumption is that vlan separation will prevent the hosts from talking to each other but i'm looking for your views

- can traffic bypass the firewall

interface and jump from vlan to vlan

- can trunk ports facilitate such traffic

- do private vlans eliminate vlan

tagging etc

5 REPLIES
Hall of Fame Super Blue

Re: private vlans

Michael

"can traffic bypass the firewall

interface and jump from vlan to vlan"

Not if the only port that is a promiscuous port is the firewall interface. But you still need an acl on that interface to stop a sql server from one company communicating with an sql server from another company ie. private vlans would stop them communicating with each other at L2 but they could still communciate at L3 via the promiscuous port unless you use an acl.

"can trunk ports facilitate such traffic" - not sure what you mean. Trunks will carry the vlan information and also any secondary vlan information for the private vlans.

"do private vlans eliminate vlan

tagging etc" - no not on a trunk link as there would then be no way for switches to distinguish between vlans otherwise.

So all the companies sql servers are from the same IP subnet ?

There are alternatives to what you are proposing if you need full separation -

1) Use subinterfaces on your firewall and allocate sql servers into different IP subnets

Following on from 1) you could one step further and use VRF-lite (if your switch supported it) and this provides complete separation at the control plane as well.

2) Use a context for each customer. You would obviously need context licenses on your firewall for this, if your firewall indeed supports contexts.

Generally speaking unless you have an IP addressing issue i would look to deply different companies data on different vlans/subnets ie. each company has it's own dmz. Less prone to configuration errors.

Jon

New Member

Re: private vlans

jon

many thanks for your reply, its greatly appreciated

i'm using a juniper firewall and i'm undecided on whether to use subinterfaces, each with its own IP subnet, or to use a single IP subnet and then implement private vlans on a couple of 3560E switch (can pvlans run other several switches?)

thanks again for your help, it gives me more to think about

Hall of Fame Super Blue

Re: private vlans

Michael

"(can pvlans run other several switches?)"

Do you mean can pvlans run across several switches. If so yes they can as trunks will carry this information.

If you have the IP addressing available i would prefer the subinterface approach to be honest.

Jon

New Member

Re: private vlans

many thanks jon

again, greatly appreciated

New Member

Re: private vlans

many thanks jon

again, greatly appreciated

275
Views
0
Helpful
5
Replies