Friday, November 16, 2007

Cisco IOS: Implementing Private VLANs - How They REALLY Work!

Implementing Private VLANs - How They REALLY Work!

Tuesday, November 14, 2006 at 02:02PM
Mike Storm

One very functional layer 2 security mechanisms that it seems hardly anyone understands is the use of Private VLANs.  While simple in concept, the implementation of PVLANs can be difficult to grasp, especially in large, complex environments.  The issue in implementation is more in understanding the way that the components of PVLANs work together and application of your scenario to the PVLAN configuration.  This example will exemplify a common scenario where PVLANs are applicable and put to rest some of the confusion involved in configuring PVLANs accordingly.

In our example, our intention is to use PVLANs to help protect our DMZ Network from unauthorized traffic pairs and still allow public services to operate correctly.  A goal of the PVLAN is to reduce the possibility of trust exploitation, VLAN hopping, and double tagging attacks. One thing to remember is that PVLANs have been fully supported only on Cisco 4000 and 6000 series switches for a long time and most of the configuration documentation on Cisco's website is based on these two platforms. Today the full feature set is supported on 3560 and 3750 switches as well (Important for CCIE Security Lab). Other switch platforms, such as the 3550 series, will not carry a full feature set for PVLAN deployment.

PVLAN Background:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. They can be configured on a Layer 2 or 3 switch. PVLANS include three types of ports:
Promiscuous ports can communicate with all interfaces.
Isolated ports have complete Layer 2 separation from the other ports within the same PVLAN.  Isolated ports can communicate only with promiscuous ports.
Community ports communicate among themselves and with their promiscuous ports.

Private VLAN ports are associated with a set of supporting VLANs that are used to create the private VLAN structure.
A private VLAN uses VLANs three ways:
Primary VLAN carries traffic from promiscuous ports to isolated, community, and other promiscuous ports
Isolated VLAN carries traffic from isolated ports to promiscuous ports
Community VLAN carries traffic between community ports and to promiscuous ports. You can configure multiple community VLANs in a private VLAN

The diagram below identifies how our scenario is set up, with a PIX/ASA device being used as the firewall (any stateful firewall can be used) creating a protected DMZ network, where our public access servers (bastion hosts) reside.

pvlan1.jpg

Goals of the Solution:

- 2 DNS servers must communicate with the Internet and each other for zone transfer
- 1 Web Server must communicate with the Internet and the SQL Server for content
- 1 SQL Server must communicate only with the Web server and an internal SQL source (protected by firewall rules)
- 1 SMTP Relay must communicate only with the Internet and the internal email stop
- 1 FTP Server must communicate only with the Internet

The first thing you must do is to create the Primary VLAN that will be used in the PVLAN scenario.  VLAN 1 is not eligible as a Primary VLAN.  In this step you need to also create the Community and Isolated VLANs that will be used in the scenario.  (The diagrams displaying this are shown in upcoming diagrams)

Switch(config)#vlan 100
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 200
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#exit
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 100,200,86
Switch(config-vlan)#exit

The diagram below shows the implementation of the Primary VLAN

pvlan2.jpg

The next step is to assign the PIX/ASA port to the primary VLAN as promiscuous.
Note:

Switch(config)#interface gig2/1
Switch(config-if)#switchport mode
private-vlan promiscuous
Switch
(config-if)#private-vlan mapping 10 100,200,86

The diagram below shows the implementation of the assignment.

pvlan3.jpg

The diagram below shows the implementation of the Community VLAN 100 and the (additional) configuration to assign the ports to the community VLAN.
Switch(config)#vlan 100
Switch(config-vlan)#
private-vlan community
Switch
(config-vlan)#exit
Switch(config)#interface range Gig2/2 - 3
Switch(config-if-range)#switchport private-vlan host-association 10 100

pvlan4.jpg

The diagram below shows the implementation of the Community VLAN 200 and the (additional) config to assign the ports to Community VLAN 200.
Switch(config)#vlan 200
Switch(config-vlan)#
private-vlan community
Switch
(config-vlan)#exit
Switch(config)#interface range Gig2/4 - 5
Switch(config-if-range)#switchport private-vlan host-association 10 200

pvlan5.jpg

The diagram below shows the implementation of the Isolated VLAN 86 and the related port assignment.
Switch(config)#vlan 86
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#interface range Gig2/6 - 7
Switch(config-if-range)#switchport private-vlan host-association 10 86

pvlan6.jpg

After all of this has been implemented, your traffic pairs are now being controlled within the PVLAN environment. The diagram below shows the final allowed traffic pairs.

pvlan7.jpg