Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Private Vlan, Community Vlan and Isolated VLAN Questions
New Posts  All Forums:Forum Nav:

Private Vlan, Community Vlan and Isolated VLAN Questions - Page 3

post #21 of 26
Edit: n/m, I see that you have mapped all your pvlans to the same vlan, and are sending that one vlan to your router via an untagged port. That's probably what confused people - I did not understand that at first, either (and you didn't say it in any of your posts 8)

What you are trying to do will absolutely work on layer 2. That is to say, one PC cannot send data to a MAC address on another PC. Whether it will work on layer 3 (ie, can one PC send data to an IP address on another PC) depends entirely on how you have set up your router.

The switch takes care of layer 2 (ethernet) isolation
The router is responsible for layer 3+ (tcp/ip) isolation
Edited by thefreeaccount - 2/23/11 at 5:21pm
post #22 of 26
Thread Starter 
Thank you for the understanding and yes I most probably chosen the wrong words...

Anyway, in the current theoretical setup I don't have control over the L3 section.

So with that said, will the L2 Switch block traffic that will should not go In the Community Vlan even if I try to reach it via a direct IP address?

For a simple example will a Ping from outside the community VLAN to it will reach the destination?
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
post #23 of 26
In theory, IF your hardware supports it (and the hardware I'm personally familiar with does not - in cisco-land, there is no such thing as an untagged promiscuous port, they all have to be tagged):

let's say there are two hosts in the same pvlan,:
1) router: mac address A, ip address 1
2) host "naughty": mac address B, ip address 2
3) host: "nice" address C, ip address 3

A ping from naughty (mac B, ip 2) to nice (mac C, ip 3) will go to the switch.
The switch looks up destination C in its CAM table and sees it is in pvlan 1.
The switch knows the src port is also in pvlan 1.
Therefore the traffic will be blocked.

OTOH:
A ping from naughty (B, ip 2) to nice (mac A, ip 3) will go to the switch.
1) The switch looks up destination A in its CAM table and sees it is the router.
2) The router looks up destination 3 in its routing table and sees it is within the local subnet.
3) The router sends an L2 broadcast: src (A) dst (FF) to the switch: "Who has IP address 3?"
4) The switch sends the broadcast to every host.
5) Nice sends an L2 reply to the router: src (C) dst (A): "I have IP address 3."
6) The router rewrites the original packet.
It was src: (B, 2) dst (A, 3)
Now it is: src(A, 2) dst (C, 3)
7) The router sends the packet to the switch.
8) The switch looks up dest C in its CAM table and sends it to nice.
9) Host "nice" updates its ARP table. Henceforth, all packets to ip address 2 will be sent to mac address A.
10) Nice replies to naughty's ping by sending packet src (C, 3) dst (A, 2).

Now naughty can talk to nice and nice can talk to naughty. Why would naughty do such a thing as send a packet to (A, 3)? Because he was driven to a life of crime by of a history of racism and poverty. Or possibly because the router is configured to do proxy-arp for the local subnet.

The switch will stop a packet with src MAC B from reaching dst MAC C.
It is the router's job to stop a packet with src IP 2 from reaching dst IP 3.
Edited by thefreeaccount - 2/23/11 at 10:49pm
post #24 of 26
Thread Starter 
Thanks I understand a little bit more.

The next step is to find time and the hardware to test it out, I have my idea where to get access to that.

For the untagged promiscuous port they're always in VLAN 1 (default) as far as I know it's not possible to remove them from it... I'll have to check with packet tracert (that doesn't do the PVlan ).
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
post #25 of 26
It depends on what kind of Layer 2 switch you have. If this is an unmanaged switch you will not be able to 802.1Q tagging. On a managed switch, VLAN 1 will contain the default VLAN as well as other services. All untagged traffic will default to VLAN 1. On a Cisco switch the tagging happens at the Access port and is then carried to the trunk which is connected to the router. However as you stated earlier you are using a home router, which most do not support 802.1Q Tags.

If you are really wanting to use 3 separate VLANs you will need a commercial class router, a firewall, or a layer 3 switch. All of which will support 802.1Q tagging.

Normally the best recommended solution would to have all VLANs terminate into a firewall.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #26 of 26
Thread Starter 
In the example I was implying a L2 Manageable switch; good thing that you mention it.

Your added little information help me get a better grasp of the situation.

So even if I do a Private VLAN (PVLAN) I would still need a commercial grade L3 device to complete the isolation...

Oh well... if we cannot do it other way we cannot do it.

Still this exercise help me grasp this new PVLAN thing a little better.

If other want to add other information's please feel free to do so.

Thank you to ALL of the poster that try to help me; even if I'm hard to understand or not easy to work with.
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
I7-2600K GA-P67A-UD5-B3 MSI GeForce GTX 760 OC Twin Frozr IV 1085/1150M... 2 * [ RipjawsX ] F3-17600CL7D-4GBXHD 
Hard DriveOptical DriveCoolingOS
2 * Seagate Barracuda 7200.12 500GB in Raid 0 SAMSUNG Black SATA DVD Burner Corsair H90 Win 7 Home Prenuim 64 bits 
PowerCaseMouse
Antec TPQ 800 W Lian Li TYR PC-X2000 G5 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Private Vlan, Community Vlan and Isolated VLAN Questions