Hi there,
who has experiences witch Cisco PVLAN (private VLAN)?
I'm in a project, doing this concept. PVLANs provide isolation at layer-2 on Catalyst switches 6k & 4k series.
Hosts on isolated ports in a PVLAN are in the same subnet, but cannot talk to each other. Isolated ports can only talk to a port in promiscuous mode, where only routers and firewalls should be attached (!no trunks!). This should be very useful in a DMZ. If one server is compromised, you cannot use this server for attacks (eg. ddos) against other DMZ-servers. Configuration of the PVLANs is no problem, but there is one question:
I read a document on Ciscos website "Securing networks with PVLANs & VLAN-ACLs" There is written (Chapter: Known limitations ...) that a router could route a packet back into the same subnet, from where it came. If this would happen, the servers could talk to each other on layer-3. ??? I can't believe that a router "routes" a packet with the "same source- & destination network-address". E.g.: I send a packet (ping or whatever) from host 192.168.100.11 to host 192.168.100.12. Routers-address resp. def. gateway is 192.168.100.1. (!Host 11 can't find host 12, because the l-2 isolation!). If this packet would reach the router-interface, the router would not attend it. Or i'm false?
MY QUESTION: Is there a way to configure the router, to attend the packet, and when yes, to route it back in the same subnet, on the same interface (physical, no subinterfaces), from where it came?
My equipment: Cat4006 CatOS 6.3(6) & Router3640 IOS 12.2(8)T4.
Thanks for every advice & help
haktop
who has experiences witch Cisco PVLAN (private VLAN)?
I'm in a project, doing this concept. PVLANs provide isolation at layer-2 on Catalyst switches 6k & 4k series.
Hosts on isolated ports in a PVLAN are in the same subnet, but cannot talk to each other. Isolated ports can only talk to a port in promiscuous mode, where only routers and firewalls should be attached (!no trunks!). This should be very useful in a DMZ. If one server is compromised, you cannot use this server for attacks (eg. ddos) against other DMZ-servers. Configuration of the PVLANs is no problem, but there is one question:
I read a document on Ciscos website "Securing networks with PVLANs & VLAN-ACLs" There is written (Chapter: Known limitations ...) that a router could route a packet back into the same subnet, from where it came. If this would happen, the servers could talk to each other on layer-3. ??? I can't believe that a router "routes" a packet with the "same source- & destination network-address". E.g.: I send a packet (ping or whatever) from host 192.168.100.11 to host 192.168.100.12. Routers-address resp. def. gateway is 192.168.100.1. (!Host 11 can't find host 12, because the l-2 isolation!). If this packet would reach the router-interface, the router would not attend it. Or i'm false?
MY QUESTION: Is there a way to configure the router, to attend the packet, and when yes, to route it back in the same subnet, on the same interface (physical, no subinterfaces), from where it came?
My equipment: Cat4006 CatOS 6.3(6) & Router3640 IOS 12.2(8)T4.
Thanks for every advice & help
haktop
