Private Vlan question

tahequivoice · ‎05-25-2011

If I take a 3560, and want to setup 5 ports in a private Vlan, one port to a router, the 4 other ports to devices that have public IP's, will this secure the rest of the network on that switch that will be behind a firewall?

Would all the ports be in the community, or does the one going to the router need to be setup differently? I have a small one I am going to attempt to setup this way, but am a bit unsure of what the uses are for the Isolated, Promiscuous, and Community ports. The small test one has 2 ASA outside interfaces and one uplink to a core router for a failover setup.

Giuseppe Larosa · ‎05-25-2011

Hello tahequivoice,

the router port has to be in promiscous mode associated to the parent /primary vlan

ports can be in isolated mode 1 port associated to a secondary vlan ( only one !) and it can talk only to primary vlan port

community mode group of ports in same secondary mode : they can talk to each other and with primary vlan/promiscous port

Hope to help

Giuseppe

tahequivoice · ‎05-26-2011

OK, going to test it out. Now, what does this all accomplish? Does this secure the switch from the public side if I have 5 ports in a private Vlan for devices using public IP's, and the rest of the switch ports connected to inside hosts behind an ASA? This is the only reason I am trying it out at this point(and it may be on the CCIE lab) .

Florin Barhala · ‎05-30-2011

If you are to put those "public IP interfaces" into isolated VLANS it will work; but don't forget about VACL to deny traffic from the same IP class.