Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
4
Replies

pVLANS

andretimoll
Level 1
Level 1

‎08-22-2006 06:21 AM

I just need a litte clarification.

My understanding is that different pvlan communities and all isolated vlans can NEVER communicate.

Im not sure if this is true. let me put an example to show what i mean:

PC A in community group A (192.168.1.1/24)

PC B in community group B (192.168.1.2/24)

If PC A tries to communicate with PC B i am under the impresion that the packet will get dropped (please tell me if i am wrong)

If this is the case, is the ever a situation where two devices in seperate pvlans, BUT in the same IP subnet can communicate?

Labels:
0 Helpful
4 Replies 4

a.kiprawih
Level 7
Level 7

‎08-22-2006 08:38 AM

Hi,

There are three types of PVLAN ports:

1. Promiscuous - promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

2. Isolated ? An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.

3. Community ? Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

So, based on limitation on Community PVlan, no communication is allowed between members from Group A and Group B.

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddc8.html#81302

Rgds,

AK

0 Helpful

andretimoll
Level 1
Level 1
In response to a.kiprawih

‎08-22-2006 09:42 AM

Hi,

I understand what you have said, but what would happen if Group A and Group B were two different customers connected to the same ISP and the two differnt pc's were actually web servers, and group A wanted to access Group B web server and vice versa.

What i am trying to get at is that, from what i know, if customer A (192.168.1.1) pinged customer B (192.168.1.2) it should never go to a router (default gateway) because they are on the same subnet.

So am i right in saying that different customers connected to the same ISP inplementing pVLANS (different communites and isolated) will NOT be able to communicate under ANY CIRCUMSTANCES?

Surely that cant be true...

The only thing i can think of is that the traffic goes to the promiscuous port and then gets routed from there, but then wouldnt that defeat the whole purpose of pVLANS!

0 Helpful

markwgallagher
Level 1
Level 1
In response to andretimoll

‎08-22-2006 12:22 PM

You are correct, Private VLAN configuration alone will not restrict traffic from being routed properly between private vlans. You will need to at a minimum install ACLs on your router where the VLANs spawn, and VACLS at each L2 device where you intend to control access...

0 Helpful

a.kiprawih
Level 7
Level 7
In response to markwgallagher

‎08-22-2006 09:45 PM

You can use promiscuous@primary Vlan to get your community to talk to each other. In this case, ACL is required. More or less, this is similar to the inter-vlan communication.

But among the main purpose of PVLAN is to group hosts in certain mode (promiscuous, isolated and community), where eventhough basically they belongs to the same main Vlan group, they are not allowed to talk to each other due to security reason, i.e spreading viruses, avoid hacking escalation and so on.

In this case, ACL will provide barrier for them.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents