RE: Private VLANs on the 6509's

From: Stephen Gill (gillsr99@yahoo.com)
Date: Thu Feb 15 2001 - 16:43:18 EST


Not necessarily true. By nature of TCP/IP you cannot
route to the same segment you are on. This is one of
the beauties of PVLANS = inherent layer 2 security
within a single layer 3 broadcast domain. You can use
community vlans within PVLANS to utilize the feature
Fabio is looking for. If you want to separate layer 2
traffic even more, you can selectively use Vlan ACLS
if necessary which do NOT negate the layer 3 switching
power as the "filtering" is done in the ASIC.

-- steve

--- "Desmarais, Jonathan"
<JDesmarais@colt-telecom.com> wrote:
> This is a good point Fabio,
>
> The hosts must have a static route to the connect
> network with the
> Promiscuous Interface based router as the gateway.
> This way traffic between
> hosts on the same segment but isolated is routed
> through the MSFC.
>
> This is the problem with P-VLAN's IMO, as to ensure
> the same level of
> security now access-lists etc, are needed to keep
> the hosts more secure.
> This in turn negates the L-3 switching power. The
> only real advantage of the
> P-VLAN is to ensure hosts cannot do ARP look-up's
> and spoof traffic to or
> from other servers on the segment.
>
> We only intend to use P-VLAN's for our
> backup-network, this is a network
> where each host only needs to see the backup-server.
>
> Jon..
>
> > -----Original Message-----
> > From: Fabio Ribas
> [mailto:fabio_ribas@optiglobe.com.br]
> > Sent: 15 February 2001 16:05
> > To: 'Edward S. Desouza'
> > Cc: 'cisco-nsp@puck.nether.net'
> > Subject: RE: Private VLANs on the 6509's
> >
> >
> > Hi Edward,
> >
> > just one question, because I thought sometime ago
> on use
> > private vlan and I
> > didnīt.
> > Do you know what happend if two customer, which
> are connected
> > on the switch
> > to the isolated vlan, want to exchange traffic
> with each
> > other ? I think
> > they canīt.
> > Another thing, when we implement private vlan can
> we use
> > trunk to export the
> > pvlan the another switch ? I am asking because the
> domain is
> > private not
> > client or server.
> >
> > Regards,
> > Fabio
> >
> > -----Original Message-----
> > From: Edward S. Desouza
> [mailto:edward_desouza@yahoo.com]
> > Sent: quinta-feira, 15 de fevereiro de 2001 02:48
> > To: Rich Sena
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: Private VLANs on the 6509's
> >
> >
> > Hi,
> > I finally got a soln :
> >
> >
> > 1. Make A primary pVLAN
> > 2. Create a secondary VLAN as isolated assign all
> > ports on the switch to the isolated VLAN
> > 3. Set port 15/1 as a promiscous port
> >
> >
> > Now, each isolated VLAN can ping the default
> gateway.
> > ( Since 15/1 is a prmiscous port )
> >
> > Each port cannot ping other ports on the switch
> due to
> > isolated VLANs
> >
> > All other VLANs ( normal VLANS ) cann communicate
> with
> > each of the isolated port the router ( since port
> 15/1
> > ) is configured as a promiscous port.
> >
> >
> > Tried it out and works fine. THe key was to set
> 15/1
> > as a promiscous port !!!!!
> > Rgds,
> >
> > Edward
> >
> > --- Rich Sena <ras@poppa.thick.net> wrote:
> > >
> > > Ed you just need to set a trunk between the
> > > switches... since everyitng is
> > > in a private vLAN it will have to be routed
> traffic
> > > for any hosts on the
> > > private segment to intercommunicate - i-e: they
> will
> > > have to exchange at a
> > > router or MSFC - not at layer 2
> > >
> > > On Feb 14, 2001 Edward S. Desouza reported:
> > >
> > > > Hi Guys,
> > > > Have any of you implemented Private VLANs
> on
> > > the
> > > > 6500 series CISCO switches ? The documentation
> is
> > > > pretty sketchy. I need to do the following :
> > > >
> > > >
> > > >
> > > >
> > > > 1.Each Customer that co-locates in my IDC will
> be
> > > > given an isolated port on the Primary VLAN (
> at
> > > the
> > > > access layer )
> > > >
> > > > 2. The primary and secondary VLAN's will be
> > > trunked
> > > > through the MSFC to the distribution layer (
> also
> > > ) a
> > > > 6500 series.
> > > >
> > > > 3. Now, is where my problem starts. I need to
> > > assign a
> > > > promiscuos port on my distribution switch.
> > > >
> > > > Once I set up the promiscous port and assign
> it to
> > > the
> > > > primary vlan, do I create another VLAN and
> enable
> > > > routing between the two VLANs ( primary vlan
> and
> > > the
> > > > new VLAN ? Even after doing so, othervlans in
> > > other
> > > > switch blocks cannot access the isolated ports
> > > even
> > > > after passing through the distribution switch.
> > > >
> > > >
> > > > Would really appreciate if any of you guys
> have
> > > some
> > > > sample configs.
> > > > Rgds,
> > > > Edward
> > > >
> > > >
> > > >
> > > >
> __________________________________________________
> > > > Do You Yahoo!?
> > > > Get personalized email addresses from Yahoo!
> Mail
> > > - only $35
> > > > a year! http://personal.mail.yahoo.com/
> > > >
> > >
> > > --
> > > Rich Sena - ras@thick.net
> > > ThickNET Consulting
> > > "On the way to understanding; you understand,
> and
> > > forget."
> > >
> >
> >
> > =====
> > Edward S. Desouza
> > 23/24 Manali 5,
> > Evershine Nagar,
> > Malad (W),
> > Bombay 400064.
> > Tel :9122-8886362
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> - only $35
> > a year! http://personal.mail.yahoo.com/
> >
>
>
>
**********************************************************************
>
=== message truncated ===

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:29 EDT