Presentation on theme: "Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks."— Presentation transcript:
Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks
VLANs: Review VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. Regular VLANs usually correspond to a single IP subnet.
Typical ISP Network Infrastructure
ISP Networks I F AN ISP NEEDS A VLAN TO BE CONNECTED TO SEVERAL CUSTOMER SITES, AND EACH CUSTOMER SITE NEEDS TO REACH THE ISP' S VLAN BUT NOT EACH OTHER ' S, WHICH IS THE BEST DESIGN CHOICE FOR THE CUSTOMER SITE VLAN S
Security Concerns on sharing a VLAN Companies can either host their servers in their own premises or they can locate their servers at the Internet Service Provider's premises. A typical ISP would have a server farm that offers web- hosting functionality for a number of customers. Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concerns Problem: Servers can establish Layer 2 communication Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. Problem: subscriber next door could very well be a malicious network user
Solution – ISP Problem Assign a separate VLAN to each customer. Each user would be assured of Layer 2 isolation from devices belonging to other users. Problem: Scalability Maximum (theoretical) = 4092 VLANs possible Potential Wastage of IP addresses in each subnet Each VLAN needs a subnet, and two addresses are wasted per subnet
Private VLANs Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains, introducing sub-VLANs inside a VLAN Device isolation is achieved by applying Layer 2 forwarding constraints that allow: End devices to share the same IP subnet while being Layer 2 isolated. Use of larger subnets reducing address management overhead.
Private VLANS Two special sub-domains specific to the private VLANs technology are defined: Isolated sub-domain and Community sub-domain. Each sub-domain is defined by assigning a proper designation to a group of switch ports. Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the 2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.
PVLAN Domain A private VLAN domain is built with at least one pair of VLAN IDs: One (and only one) primary VLAN ID (Vp) plus One or more secondary VLAN IDs (Vs). Secondary VLANs can be of two types: isolated VLANs (Vi) or all hosts connected to its ports are isolated at Layer 2. community VLANs (Vc). A community VLAN is a secondary VLAN that is associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships. A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.
Port Designations in PVLAN Three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain. The three port designations are: Promiscuous, Isolated, and Community.
Advantages of PVLANs 1. Provides Security 2. Reduces the number of IP subnets 3. Reduces the VLANs’ utilisation by isolating traffic between network devices residing in the same VLAN
Useful Links RFC 5517 Private VLANs Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P