A bit about private vlan
Quite often on forums, and other resources, it skips the phrase that vlan (802.1q standard) does not belong to security as such. I agree with this proposition in principle, it’s like a dynamic nat, which is indirect, but it protects hosts that are in a gray network. Yes, these 2 topics as vlan and nat give birth to holivar. But here there is one technology that mostly relates vlan to security, and we'll talk about it later.
To whom I invite interesting under cat.
')
I'll try to tell in my own words. In fact, using this technology, control inside vlan is performed. By controlling the broadcast domain turning it into sub domains, according to the settings that the network administrator has given. Simply put, there is a switch, there is a network, there is a broadcast domain. We do not want that users who are connected to this domain could contact each other. This is where our technology is applied. And if you look at the technology itself, subdomains are organized in the domain.
There are 2 types of vlans in this technology, primary, the main vlan which is taken as a basis and appears to be not private vlans, as usual not showing the id of intradomain vlans, which belong to the second type of vlans secondary.
Thus, the secondary vlans themselves can be of 2 types: Isolated and community; the differences between these concepts are described below.
Total summing up we get the following.
Promiscuous (or Uplink, for example, in allied telesyn) is a traffic transmission mode used in cases when it is not necessary to restrict availability (the same file server, router or switch). This type refers to the primary vlans. And it exchanges traffic with both isolated, and as stated above with vlans who do not use pvlan technology.
Isolated - just a port that is in an isolated state i. is located in its own domain, and does not have access to other isolated domains, as well as to it. He sees only the ports that are in promiscuous state, applies when the host on the network requires special security.
Community - the division into sub domains is not one port, but several ports in a separate domain. In other words, the hosts in this domain see both their neighbors by subdomain and the hosts in promiscuous state, applicable when we are doing isolation, for example, by department.
I relied more on cisco concepts than others. So there are differences in the concepts, but they are similar to the concepts of cisco, and when you get acquainted with the technology from another vendor, I think you will understand what and how.
I would say that to introduce this technology into the network it is necessary to take into account such parameters that pvlan does not support many other technologies, for example, vtp rsapn, voice vlan, etc ...
The technology is quite interesting, in my opinion, and if you do not find application for it in your network, I think those who have not come across this concept will be interested to get acquainted with an easy description of this technology.
To whom I invite interesting under cat.
Private vlan, what is it?
')
I'll try to tell in my own words. In fact, using this technology, control inside vlan is performed. By controlling the broadcast domain turning it into sub domains, according to the settings that the network administrator has given. Simply put, there is a switch, there is a network, there is a broadcast domain. We do not want that users who are connected to this domain could contact each other. This is where our technology is applied. And if you look at the technology itself, subdomains are organized in the domain.
There are 2 types of vlans in this technology, primary, the main vlan which is taken as a basis and appears to be not private vlans, as usual not showing the id of intradomain vlans, which belong to the second type of vlans secondary.
Thus, the secondary vlans themselves can be of 2 types: Isolated and community; the differences between these concepts are described below.
Total summing up we get the following.
Promiscuous (or Uplink, for example, in allied telesyn) is a traffic transmission mode used in cases when it is not necessary to restrict availability (the same file server, router or switch). This type refers to the primary vlans. And it exchanges traffic with both isolated, and as stated above with vlans who do not use pvlan technology.
Isolated - just a port that is in an isolated state i. is located in its own domain, and does not have access to other isolated domains, as well as to it. He sees only the ports that are in promiscuous state, applies when the host on the network requires special security.
Community - the division into sub domains is not one port, but several ports in a separate domain. In other words, the hosts in this domain see both their neighbors by subdomain and the hosts in promiscuous state, applicable when we are doing isolation, for example, by department.
I relied more on cisco concepts than others. So there are differences in the concepts, but they are similar to the concepts of cisco, and when you get acquainted with the technology from another vendor, I think you will understand what and how.
About Application.
I would say that to introduce this technology into the network it is necessary to take into account such parameters that pvlan does not support many other technologies, for example, vtp rsapn, voice vlan, etc ...
The technology is quite interesting, in my opinion, and if you do not find application for it in your network, I think those who have not come across this concept will be interested to get acquainted with an easy description of this technology.
Source: https://habr.com/ru/post/114646/
All Articles