Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks.

Published byDevyn Huggett Modified over 9 years ago

Similar presentations

Presentation on theme: "Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks."— Presentation transcript:

1 Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks

2 VLANs: Review VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. Regular VLANs usually correspond to a single IP subnet.

3 Typical ISP Network Infrastructure

4 ISP Networks I F AN ISP NEEDS A VLAN TO BE CONNECTED TO SEVERAL CUSTOMER SITES, AND EACH CUSTOMER SITE NEEDS TO REACH THE ISP' S VLAN BUT NOT EACH OTHER ' S, WHICH IS THE BEST DESIGN CHOICE FOR THE CUSTOMER SITE VLAN S

5 Security Concerns on sharing a VLAN Companies can either host their servers in their own premises or they can locate their servers at the Internet Service Provider's premises. A typical ISP would have a server farm that offers web- hosting functionality for a number of customers. Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concerns Problem: Servers can establish Layer 2 communication Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. Problem: subscriber next door could very well be a malicious network user

6 Solution – ISP Problem Assign a separate VLAN to each customer. Each user would be assured of Layer 2 isolation from devices belonging to other users. Problem: Scalability Maximum (theoretical) 4096-4 = 4092 VLANs possible Potential Wastage of IP addresses in each subnet Each VLAN needs a subnet, and two addresses are wasted per subnet

7 Private VLANs Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains, introducing sub-VLANs inside a VLAN Device isolation is achieved by applying Layer 2 forwarding constraints that allow: End devices to share the same IP subnet while being Layer 2 isolated. Use of larger subnets reducing address management overhead.

8 Private VLANS Two special sub-domains specific to the private VLANs technology are defined: Isolated sub-domain and Community sub-domain. Each sub-domain is defined by assigning a proper designation to a group of switch ports. Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the 2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.

9 PVLAN Domain A private VLAN domain is built with at least one pair of VLAN IDs: One (and only one) primary VLAN ID (Vp) plus One or more secondary VLAN IDs (Vs). Secondary VLANs can be of two types: isolated VLANs (Vi) or all hosts connected to its ports are isolated at Layer 2. community VLANs (Vc). A community VLAN is a secondary VLAN that is associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships. A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.

10 Port Designations in PVLAN Three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain. The three port designations are: Promiscuous, Isolated, and Community.

11 PVLAN- Port Definitions R1 Fa0/1 Fa0/2 Fa0/3 Primary VLAN 100 (Promiscuous) Secondary VLAN 10 (Community) Fa0/4 Fa0/5 Fa0/6 Fa0/7 Secondary VLAN 20 (Community) Secondary VLAN 30 (Isolated) No Yes No 192.168.10.1/24 192.168.10.2/24 192.168.10.3/24 192.168.10.4/24 192.168.10.5/24 192.168.10.6/24 192.168.10.7/24

12 Example PVLAN Primary VLAN 1000 has : Secondary VLAN s VLAN 1012 – Community VLAN VLAN 1034 – Community VLAN VLAN 1055 – Isolated VLAN

13 Private VLAN Configuration DLS2(config)#vtp mode transparent DLS2(config)#vlan 10 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 20 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 30 DLS2(config-vlan)#private-vlan isolated DLS2(config-vlan)#exit DLS2(config)#vlan 100 DLS2(config-vlan)#private-vlan primary DLS2(config-vlan)#private-vlan association 10,20,30 Create Private VLANs:

14 Private VLAN Configuration DLS2(config)#int fa0/1 DLS2(config)# switchport mode private-vlan promiscuous DLS2(config)# switchport private-vlan mapping 100 10,20,30 DLS2(config)# int fa0/2 DLS2(config)# switchport mode private-vlan host DLS2(config)# switchport private-vlan host-association 100 10 Populate Private VLANs: Verify Private VLANs: S1#show vlan private-vlan S1#show interface switchport fa0/2

15 Advantages of PVLANs 1. Provides Security 2. Reduces the number of IP subnets 3. Reduces the VLANs’ utilisation by isolating traffic between network devices residing in the same VLAN

16 Useful Links RFC 5517 Private VLANs Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P

Download ppt "Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks."

Similar presentations

Virtual Trunk Protocol

Virtual Trunk Protocol
Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Virtual Links: VLANs and Tunneling

Virtual Links: VLANs and Tunneling
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Any Questions?.

Any Questions?.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
LAN Segmentation Virtual LAN (VLAN).

LAN Segmentation Virtual LAN (VLAN).
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
192.168.0.0/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.

/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Virtual LANs.

Virtual LANs.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.

IP Address 1. 2 Network layer r Network layer protocols in every host, router r Router examines IP address field in all IP datagrams passing through it.
Computer Networks Eyad Husni Elshami. Computer Network A computer network is a group of interconnected computers to share data resources ( printer, data.

Computer Networks Eyad Husni Elshami. Computer Network A computer network is a group of interconnected computers to share data resources ( printer, data.
© Wiley Inc. 2006. All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)

© Wiley Inc All Rights Reserved. CCNA: Cisco Certified Network Associate Study Guide CHAPTER 8: Virtual LANs (VLANs)
Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.

Mr. Mark Welton.  Three-tiered Architecture  Collapsed core – no distribution  Collapsed core – no distribution or access.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Configuring PVLANs.

Similar presentations

Ads by Google