fbpx

Unkategorisiert | 8 min read

PRIVATE VLANs

ngworx Team
Juni 2021
written by Francesco Vestri
Senior Network Engineer

Private VLANs have existed for some time, but their implementation is usually seen as convoluted and unclear.
In this article, we want to introduce the concept and utilization of Private VLANs while also providing an implementation example based on Juniper devices.

Disclaimer: Dear readers, please note that this blog is a bit older and therefore the content, insights and statements may have changed over time as products, services and technologies evolve.

 

Scenario

If we look at office applications, there is usually no need for hosts to communicate directly with each other: traffic is normally directed to and from a server external to our own subnet.

The examples below show several scenarios where communication goes through a server, whether on-premises or external to the organization, hosting the service we intend to use:

Scenario Scenario Scenario

The diagrams all show traffic flows going via an uplink connection rather than directly to the destination host, demonstrating that normally the ability to directly communicate with hosts on the same subnet is not a requirement but rather a liability.

BROADCAST DOMAIN

A Layer 2 switch allows devices connected to its ports to communicate directly to each other at the Data Link Level, that is, without the need for an intermediate device such as a Router or a Firewall; for this reason, hosts on the same VLAN are said to be sharing the same Broadcast Domain.
This also means that their traffic is not normally analyzed, nor can it be blocked in case one device is compromised, allowing a compromised host to freely infect, or attack other machines on the same segment.

BROADCAST DOMAIN

While several techniques exist to prevent or mitigate this type of behaviour, such as NAC, inline probes, and Macro-Segmentation, this article focuses on Private VLANs as a simple mechanism to introduce isolation between hosts in an access network or even physical servers in a small data center.

NETWORK SEGMENTATION

Within an organization, it is common to provide separation between different parts of the company so that hosts from a department (i.e. Finance) are separated from hosts of another department (i.e. Marketing).

The reasons for this separation are multiple:

  • it is easy to identify to what group a host belongs to by simply looking at their IP subnet
  • in addition, and this is the purpose of this article, when a host leaves its subnet to reach another device outside of its network, it needs to go through an intermediate node, such as a Router or a Firewall, allowing us to introduce traffic restriction rules.

NETWORK SEGMENTATION

While this separation works for different segments of the network, what if we wanted to block traffic between hosts in the same VLAN? As we have seen from the examples before, we do not normally need these hosts to reach each other and we would rather avoid this condition.

Due to the nature of sharing the broadcast domain, hosts can directly communicate without the need for an intermediate device, therefore the solution is to instruct the underlying switch to modify and restrict the traffic flow within the specific VLAN by activating the Private VLAN configuration.

Private VLANs

In normal conditions, a switch allows traffic to flow from one port to any other port within the same VLAN as shown in the example below:

Private Vlans

If now we configure the VLAN as PRIVATE, we can see that traffic will no longer be able to flow from one port to the others:

Of course, this situation is not very useful, we still need a port to be able to receive our traffic;

normally this is the port where our local Gateway is connected and it’s named promiscuous port:

Private Vlans

While the promiscuous port is able to receive traffic from all other ports in the PRIVATE VLAN (named isolated ports), these ports will not be able to send traffic to each other, thus obtaining the protection we were looking for:

Private Vlans

As specified before, the same isolated ports will continue to send and receive traffic to and from the promiscuous port:

Private Vlans

Terminology:

To better understand the operation behind Private VLANs, we summarize here the terms used so far:

Isolated Ports: traffic from these ports is only allowed towards the promiscuous port. No traffic can flow from an isolated port to another isolated port, thus preventing any attempt to communicate from one host to another in the same VLAN. In our diagrams, we indicate these ports with a yellow mark.

Promiscuous Port: this is the only port that is able to send traffic to the isolated ports. Since isolated ports cannot send traffic to each other, the only traffic they receive is the traffic coming from this port.  In our diagrams, we indicate this port with a red mark.

Community Ports: these ports will be introduced later in our description. In our diagrams, we indicate these ports with a blue mark.

Example1, Isolated Ports:

In the diagram below, we can see the hosts connected to a traditional VLAN.
Traffic can freely move from one host to the other and to the Gateway to be able to reach external subnets.

Private Vlans

As soon as we configure the VLAN as private, traffic between hosts will be blocked.

Private Vlans

To provide external connectivity to the VLAN, we will configure one port as promiscuous and connect a Local GW:

Private Vlans

As a result, Hosts are no longer able to reach each other at all, but they can only reach services outside of their VLAN.

Example 2:

Let’s now imagine we have a group of hosts in our VLAN that still need to communicate with each other; these could be two hosts sharing a local folder that for some reason cannot be moved to a centralized server. While we still want these hosts to be protected from the other devices in the VLAN, we also need to allow them to reach each other directly as well as being able to reach the promiscuous port to leave the subnet.

By configuring the ports connected to these two particular hosts as community ports, traffic flow will still be allowed between these two and to the promiscuous port, but no traffic from or to isolated ports will be possible.

Private Vlans

Configuration

Now that we explained the concepts behind private VLANs and the ports definition, we need to explain how the concept is applied and configured on a switch.

From the switch point of view, there is a need to distinguish traffic that entered from a promiscuous port from traffic entering via an isolated port.

This is obtained by defining two different VLANs, one primary VLAN will identify traffic entering from the promiscuous port, while the secondary VLAN will represent traffic entered from an isolated port.

The table below helps to summarize the concept:

  • Primary VLAN | Tags traffic entering from the promiscuous port
  • Secondary VLAN | Tags traffic entering from an isolated port

Marking traffic with the appropriate VLAN allows the hardware on the switch to forward frames in the allowed direction (such as from isolated to promiscuous and back) while blocking all other flows (from isolated to isolated, or from isolated to the community).

In our example, we will create VLAN 100 as the Primary VLAN, and VLAN 200 as the secondary.

The syntax below shows how the Primary and Secondary VLANs are implemented on a Juniper QFX switch:

[edit vlans]
vlan100 {
    vlan-id 100;
    isolated-vlan vlan200;
}
vlan200 {
    vlan-id 200;
    private-vlan isolated;
}

This is how we would configure the client interfaces:

interface-range CLIENTS {
    member-range xe-0/0/1 to xe-0/0/4;
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan200;
            }
        }
    }
}

And the promiscuous port:

[edit interfaces xe-0/0/0]
unit 0 {
    family ethernet-switching {
        vlan {
            members vlan100;
        }
    }
}

Community ports

Similarly to the Isolated VLAN and relative ports, the community VLAN is also configured as a secondary type:

[edit vlans]
vlan100 {
    vlan-id 100;
    community-vlans vlan300;
}
Vlan300 {
    vlan-id 300;
    private-vlan community;
}

Conclusions

As security becomes an increasing factor in every organization, private VLANs offer a quick and simple solution to add isolation between hosts.

This approach can surely be applied to guest networks, as well as most access networks and even small data centers with physical servers in place.

The concept can be further enriched by adding multiple primary and secondary VLANs in the same switch and even by extending the private VLAN concept to other devices to obtain a distributed concepts.

Today the application of Private VLAN is also present in VXLAN networks with technologies such as Macro Segmentation, allowing for sophisticated security options such as Zero Trust.

Contact our team here at ngworx to know more about how private VLANs can help your organization to increase the level of security through hosts isolation and other advanced solutions.

Related Service See how we help businesses with our network consulting services:
Network Consulting Our network consulting service portfolio covers various topics. See more
ngworx Team
Juni 2021
written by Francesco Vestri
Senior Network Engineer

Most Popular

Unkategorisiert | 8 min read

Junos upgrade – filesystem is full

Not enough storage during Junos upgrade (EX2300 and EX3400). An extension of Juniper's article…

Read more

Juniper Networks

Want to learn more about Juniper Networks? Discover their solutions, products, awards, team leaders, partners, training programs, and the latest events by clicking the button below.