0

For added security I am migrating out network to use PVLANs. My question is given standard VLAN (192.168.0.0/24) can I designate a few ports as isolated\promiscuous while still having the others work normally. I would like to test things using a few hosts as opposed to potentially bricking the whole network. There are also hundreds of hosts to migrate so I might not be able to do it all in one setting.

Take a look at this:

http://www.cisco.com/en/US/i/100001-200000/180001-190000/182001-183000/182773.jpg

Imagine the top port as a promisc port (which it is), and the two left-most ones as isolated ports (which they are). Now instead of assigning community ports to the four rightmost ports I would like to simply leave them in the VLAN without any PVLAN parameters. Can this be done?

rnxrx
  • 8,103
  • 3
  • 20
  • 30
user974896
  • 341
  • 1
  • 6
  • 13

1 Answers1

1

The way that PVLAN operates is that traffic transmitted into an isolated port is actually mapped into another VLAN (the aux VLAN). The promiscuous port, in turn, transmits frames from both the primary and aux VLAN's to its connected host. Frames received on the promiscuous port go into the primary VLAN.

What this means is that the promiscuous port and the normal ports can communicate normally, the normal ports can send traffic -to- the isolated ports but will receive no traffic back and traffic sent from the isolated ports will only be seen at the promiscuous port. The normal ports will continue to operate as expected.

So - if you're OK with the normal ports being able to send traffic to the isolated ports (but not vice-versa) then the rest of the setup should work.

The use of community ports (instead of normal/non-PVLAN ports) would insure that traffic sent from said ports would never be seen on the isolated ports while still allowing full communication otherwise. This would generally be the way to go if you want the isolated hosts truly isolated.

rnxrx
  • 8,103
  • 3
  • 20
  • 30