Scalable Security in a Multi-Client Environment - Private VLANs Designing VLANs in Networks

VLANs: Review VLAN is a broadcast domain in which hosts can establish direct communication with one another at Layer 2. Ethernet VLANs are not allowed to communicate directly, they need L3 device to forward packets between broadcast domains. Regular VLANs usually correspond to a single IP subnet.

Typical ISP Network Infrastructure

ISP Networks I F AN ISP NEEDS A VLAN TO BE CONNECTED TO SEVERAL CUSTOMER SITES, AND EACH CUSTOMER SITE NEEDS TO REACH THE ISP' S VLAN BUT NOT EACH OTHER ' S, WHICH IS THE BEST DESIGN CHOICE FOR THE CUSTOMER SITE VLAN S

Security Concerns on sharing a VLAN Companies can either host their servers in their own premises or they can locate their servers at the Internet Service Provider's premises. A typical ISP would have a server farm that offers web- hosting functionality for a number of customers. Co-locating the servers in a server farm offers ease of management but, at the same time, may raise security concerns Problem: Servers can establish Layer 2 communication Metropolitan Service Providers may want to provide Layer 2 Ethernet access to homes, rental communities, businesses, etc. Problem: subscriber next door could very well be a malicious network user

Solution – ISP Problem Assign a separate VLAN to each customer. Each user would be assured of Layer 2 isolation from devices belonging to other users. Problem: Scalability Maximum (theoretical) = 4092 VLANs possible Potential Wastage of IP addresses in each subnet Each VLAN needs a subnet, and two addresses are wasted per subnet

Private VLANs Private VLANs (PVLANs) are used to segregate Layer 2 ISP traffic and convey it to a single router interface. The private VLANs technology partitions a larger VLAN broadcast domain into smaller sub-domains, introducing sub-VLANs inside a VLAN Device isolation is achieved by applying Layer 2 forwarding constraints that allow: End devices to share the same IP subnet while being Layer 2 isolated. Use of larger subnets reducing address management overhead.

Private VLANS Two special sub-domains specific to the private VLANs technology are defined: Isolated sub-domain and Community sub-domain. Each sub-domain is defined by assigning a proper designation to a group of switch ports. Catalyst 6500/4500/3650 switches implement private PVLANs, whereas the 2950 and 3550 support “protected ports,” which is functionality similar to PVLANs on a per-switch basis.

PVLAN Domain A private VLAN domain is built with at least one pair of VLAN IDs: One (and only one) primary VLAN ID (Vp) plus One or more secondary VLAN IDs (Vs). Secondary VLANs can be of two types: isolated VLANs (Vi) or all hosts connected to its ports are isolated at Layer 2. community VLANs (Vc). A community VLAN is a secondary VLAN that is associated to a group of ports that connect to a certain "community" of end devices with mutual trust relationships. A primary VLAN is the unique and common VLAN identifier of the whole private VLAN domain and of all its VLAN ID pairs.

Port Designations in PVLAN Three separate port designations exist. Each port designation has its own unique set of rules, which regulate a connected endpoint's ability to communicate with other connected endpoints within the same private VLAN domain. The three port designations are: Promiscuous, Isolated, and Community.

PVLAN- Port Definitions R1 Fa0/1 Fa0/2 Fa0/3 Primary VLAN 100 (Promiscuous) Secondary VLAN 10 (Community) Fa0/4 Fa0/5 Fa0/6 Fa0/7 Secondary VLAN 20 (Community) Secondary VLAN 30 (Isolated) No Yes No / / / / / / /24

Example PVLAN Primary VLAN 1000 has : Secondary VLAN s VLAN 1012 – Community VLAN VLAN 1034 – Community VLAN VLAN 1055 – Isolated VLAN

Private VLAN Configuration DLS2(config)#vtp mode transparent DLS2(config)#vlan 10 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 20 DLS2(config-vlan)#private-vlan community DLS2(config)#vlan 30 DLS2(config-vlan)#private-vlan isolated DLS2(config-vlan)#exit DLS2(config)#vlan 100 DLS2(config-vlan)#private-vlan primary DLS2(config-vlan)#private-vlan association 10,20,30 Create Private VLANs:

Private VLAN Configuration DLS2(config)#int fa0/1 DLS2(config)# switchport mode private-vlan promiscuous DLS2(config)# switchport private-vlan mapping ,20,30 DLS2(config)# int fa0/2 DLS2(config)# switchport mode private-vlan host DLS2(config)# switchport private-vlan host-association Populate Private VLANs: Verify Private VLANs: S1#show vlan private-vlan S1#show interface switchport fa0/2

Advantages of PVLANs 1. Provides Security 2. Reduces the number of IP subnets 3. Reduces the VLANs’ utilisation by isolating traffic between network devices residing in the same VLAN

Useful Links RFC 5517 Private VLANs Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P Comprehensive analysis of various security threats and their mitigation techniques for a medium-size IS P