Mitigating VLAN Attacks
What Is a private VLAN?

Service providers often have devices from multiple clients, as well as their own servers, on a single DMZ segment or VLAN. As security issues proliferate, it becomes needful to provide traffic isolation between devices although they may exist on the same Layer 3 segment and VLAN. Catalyst 6500/4500 switches implement Private VLANs (PVLANs) to keep some switch ports shared and some switch ports isolated, although all ports exist on the same VLAN. The 2950 and 3550 support "protected ports" with is functionality similar to PVLANs on a per switch basis.

The traditional solution to address these ISP requirements is to provide one VLAN per customer, with each VLAN having its own IP subnet. A Layer 3 device then provides interconnectivity between VLANs and Internet destinations.

Challenges with this traditional solution are:

  • Supporting a separate VLAN per customer may require a high number of interfaces on service provider network devices.
  • Spanning tree becomes more complicated with many VLAN iterations.
  • Network address space must be divided into many subnets, which wastes space and increases management complexity.
  • Multiple ACL applications are required to maintaining security on multiple VLANs resulting in increased management complexity.

PVLANs provide Layer 2 isolation between ports within the same VLAN. This isolation eliminates the need for a separate VLAN and IP subnet per customer.

A port in a PVLAN can be one of three types:

  • Isolated – An isolated port has complete Layer 2 separation from other ports within the same PVLAN except for the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
  • Promiscuous – A promiscuous port can communicate with all ports within the PVLAN, including the community and isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, given that all devices in the PVLAN will need to communicate with that port.
  • Community – Community ports communicate among themselves and with their promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within their PVLAN.
NOTE:

Because trunks can support the VLANs carrying traffic between isolated, community, and promiscuous ports, isolated and community port traffic might enter or leave the switch through a trunk interface.


Web Links