Service providers often have devices from multiple clients, as well as their
own servers, on a single DMZ segment or VLAN. As security issues proliferate,
it becomes needful to provide traffic isolation between devices although they
may exist on the same Layer 3 segment and VLAN. Catalyst 6500/4500 switches
implement Private VLANs (PVLANs) to keep some switch ports shared and some
switch ports isolated, although all ports exist on the same VLAN. The 2950 and
3550 support "protected ports" with is functionality similar to
PVLANs on a per switch basis.
The traditional solution to address these ISP requirements is to provide one
VLAN per customer, with each VLAN having its own IP subnet. A Layer 3 device
then provides interconnectivity between VLANs and Internet destinations.
Challenges with this traditional solution are:
- Supporting a separate VLAN per customer may require a high number of
interfaces on service provider network devices.
- Spanning tree becomes more complicated with many VLAN iterations.
- Network address space must be divided into many subnets, which wastes space
and increases management complexity.
- Multiple ACL applications are required to maintaining security on multiple
VLANs resulting in increased management complexity.
PVLANs provide Layer 2 isolation between ports within the same VLAN.
This isolation eliminates the need for a separate VLAN and IP subnet per
customer.
A port in a PVLAN can be one of three types:
-
Isolated – An isolated port has complete Layer 2 separation from
other ports within the same PVLAN except for the promiscuous port. PVLANs block
all traffic to isolated ports, except the traffic from promiscuous ports.
Traffic received from an isolated port is forwarded only to promiscuous
ports.
-
Promiscuous – A promiscuous port can communicate with all ports
within the PVLAN, including the community and isolated ports. The default
gateway for the segment would likely be hosted on a promiscuous port, given
that all devices in the PVLAN will need to communicate with that port.
-
Community – Community ports communicate among themselves and with
their promiscuous ports. These interfaces are isolated at Layer 2 from all
other interfaces in other communities, or in isolated ports within their
PVLAN.
 |
NOTE:
Because trunks can support the VLANs carrying traffic between
isolated, community, and promiscuous ports, isolated and community port traffic
might enter or leave the switch through a trunk interface.
|