Enhancing Security with PowerConnect 5.0 Part I - Private VLAN

Similar documents
A Dell Interoperability Whitepaper Victor Teeter

Configuring Private VLANs

Deployment of Dell M8024-k Blade Switch in Simple Mode with Cisco Nexus 5k Switch

Deployment of Dell M6348 Blade Switch with Cisco 4900M Catalyst Switch (Simple Mode)

Network Configuration Example

Configuring Private VLANs

Using Network Manager to Setup Automatic Notifications

Configuring Private VLANs

Configuring Private VLANs

Deployment of VMware Infrastructure 3 on Dell PowerEdge Blade Servers

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Dell PowerVault NX1950 configuration guide for VMware ESX Server software

Using Dell Repository Manager to Update Your Local Repository

Deployment of VMware ESX 2.5.x Server Software on Dell PowerEdge Blade Servers

Dell OpenManage Cluster Configurator on Dell PowerEdge VRTX

Configuring Private VLANs Using NX-OS

Using Dell Repository Manager to Find Newer Updates from the Dell Online Repository

Deployment of VMware ESX 2.5 Server Software on Dell PowerEdge Blade Servers

CCNP Switch Questions/Answers Implementing VLANs in Campus Networks

Using Network Manager to Deploy Firmware and Backup/ Restore Configuration Files

Reference Architecture for Dell VIS Self-Service Creator and VMware vsphere 4

Deploying Dell PowerConnect 8100 and Cisco Catalyst Switches

DELL POWERVAULT NX3500 INTEGRATION WITHIN A MICROSOFT WINDOWS ENVIRONMENT

Cable Routing Procedures for Dell PowerEdge FX2/FX2s Systems

Dell IT Assistant Migration To OpenManage Essentials

DELL EQUALLOGIC FS7500 INTEGRATION WITHIN A LINUX ENVIRONMENT

Utilizing Advanced Scheduling with Network Manager

Understanding Discovery and Inventory of Dell Devices

Dell OpenManage Power Center s Power Policies for 12 th -Generation Servers

A Dell Technical White Paper Dell Virtualization Solutions Engineering

DEPLOYING A STACK OF DELL M-SERIES BLADE SWITCHES IN SIMPLE SWITCH MODE (SSM)

VRF lite for Dell Networking N-Series

EqualLogic Storage and Non-Stacking Switches. Sizing and Configuration

Configuring Direct-Connect between a DR Series System and Backup Media Server

PowerConnect 'HOO_3RZHU&RQQHFW. Key Points. Product Description

Dell TM PowerVault TM Configuration Guide for VMware ESX/ESXi 3.5

Dell SupportAssist: Security Considerations

Implementing SharePoint Server 2010 on Dell vstart Solution

Dell Server Migration Utility (SMU)

Using Dell Repository Manager to Create a Deployment Media (Bootable ISO) to Perform Systems Updates

Deploying the Dell PowerConnect 8100 Series Switch with DCB Features in an iscsi Environment. Kili Land Manjesh Siddamurthy Kevin Locklear

Get on-premise private cloud with enterprise managed services.

Cable Routing Procedures for Dell PowerEdge R630 Systems

Scheduled Automatic Search using Dell Repository Manager

Dell PowerEdge R720xd with PERC H710P: A Balanced Configuration for Microsoft Exchange 2010 Solutions

Understanding PVLANs in UCS

Deploying Solaris 11 with EqualLogic Arrays

Cable Routing Procedures for Dell PowerEdge T320 & T420 Systems

Accelerating storage performance in the PowerEdge FX2 converged architecture modular chassis

A Comparative Study of Microsoft Exchange 2010 on Dell PowerEdge R720xd with Exchange 2007 on Dell PowerEdge R510

Configuring VLAN CHAPTER

Efficient Video Distribution Networks with Multicast: IGMP Querier and PIM-DM

Lifecycle Controller Part Replacement

Dell OpenManage Essentials v1.1 Supporting Dell Client Devices

Dell Compellent Storage Center

Setting Up the Dell DR Series System on Veeam

Application Note: Split Public Addresses between WAN and DMZ

Basic Configuration Installation Guide

Backup and Recovery of RDM A White Paper

Dell Force10 S4810 Switch

Dell DX Object Storage Platform Remote Replication Configuration

Technical Note. Abstract

Dell EMC Networking vsan vsphere Networking Quick Guide using Dell OS 9

Dell OpenManage Essentials v2.0 Support for Dell Client Devices

Dell Reference Configuration for Large Oracle Database Deployments on Dell EqualLogic Storage

Lifecycle Controller Part Replacement

Technical Note. Dell/EMC Solutions for Microsoft SQL Server 2005 Always On Technologies. Abstract

Software Defines the Infrastructure of a Future-Ready Enterprise

Shared LOM support on Modular

Understanding and Configuring Private VLANs

Configuring Alert Actions in OpenManage Essentials

Dell SonicWALL SonicOS 5.9 Upgrade Guide

Abstract. Avaya Solution & Interoperability Test Lab

Discovering Features in the idrac Remote Services API

PowerEdge FX2 - Upgrading from 10GbE Pass-through Modules to FN410S I/O Modules

Enhancing Oracle VM Business Continuity Using Dell Compellent Live Volume

vstart 50 VMware vsphere Solution Specification

Dell Management Console Best Practices

Setting Up Replication between Dell DR Series Deduplication Appliances with NetVault 9.2 as Backup Software

Dell Networking N2000 Series

Installing Dell OpenManage Essentials

DELL TM PowerVault TM DL Backup-to-Disk Appliance

ISSN: February Cisco Systems Private VLANs: Scalable Security in a Multi-Client Environment

FluidFS Antivirus Integration

Configuring Private VLANs

White Paper. Dell Reference Configuration

Access Control Policies

Dell Networking S4048-ON

Will Traffic Spikes Overwhelm Your Data Center Network? A Dell Technical White Paper

DELL TM PowerVault TM DL Backup-to-Disk Appliance

Configuring Wireless Multicast

Managing and Monitoring a Virtualization Environment Using OpenManage Essentials

Installing Dell OpenManage Essentials

Chapter 9: Subnetting IP Networks

Setting Up the DR Series System on Veeam

Dell EMC Networking VxRail Networking Quick Guide

Dell Networking N4000 Series and Dell PowerConnect 8100 Series

Lifecycle Controller Platform Update in Dell PowerEdge 1 2 th Generation Servers

Virtualization Support in Dell Management Console v1.0

Business Intelligence on Dell Quickstart Data Warehouse Appliance Using Toad Business Intelligence Suite

Transcription:

Enhancing Security with PowerConnect 5.0 Part I - Private VLAN A guide to basic security deployment practices for Dell Networking switches using the Private VLAN feature. Version 2.0 Andrew Berry Victor Teeter Dell Networking Engineering

This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, PowerConnect, and Dell Networking are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. July 2013 Rev 2.0 2

Contents Introduction... 4 Application... 5 Example... 7 Command-line configuration... 8 Definitions... 10 Figures Logical view of primary and secondary VLANs... 6 Physical view of primary and secondary VLANs... 7 3

Introduction Executive Summary Network security features and their importance cannot be moderated due to the growing amount of traffic and applications that depend on secure communication paths and stable platforms which maintain these communications paths. Dell Networking switches provide several security features for monitoring, classifying or manipulating network traffic passing through the switch and also security for the actual users accessing the switch. The Private VLAN feature is one of the enhancements to the security portfolio of Dell Networking platforms. It provides the network administrator the ability to control which VLANs and servers customers are allowed to access at the DMZ while limiting or prohibiting those same VLANs and servers from communicating with each other except as required, thus preventing inadvertent sharing of servers and services to rogue users on the network. Support for this feature is included in most Dell Networking switches loaded with version 5.0 or later. See below for the complete list of supported switches. Topical Overview When several devices communicate with a Layer 2 broadcast domain DMZ, it is possible for a rogue device to introduce itself into a VLAN and cause serious security issues on the network. The previous solution to this problem was to assign a separate VLAN to each user. This resulted in a network that requires many VLANs, is difficult to scale, and makes IP address management more complicated. Using private VLANs (or PVLANs) addresses the Layer 2 security, without scalability issues, and provides IP address management benefits for service providers. Advantages of deploying private VLANs in a multi-server network include enhanced security, reduction in IP address space usage, administrative accessibility, less L3 routing, and fewer VLANs. Dell s Networking 5.0 firmware allows users a way to setup private VLANs to take advantage of these features. Private VLANs partition a standard VLAN domain into two or more subdomains. Each subdomain is defined by a primary VLAN and a secondary VLAN. The primary VLAN ID is the same for all subdomains that belong to a particular private VLAN instance. The secondary VLAN ID differentiates the subdomains from each other and provides layer 2 isolation between ports on the same private VLAN. Private VLANs are available on the following Dell Networking switches as well as future switches: 8132 8164 8132F 8164F 7024 7048 7024P 7048P 7024F 7048R 7048R-RA 8024 8024F M8024 M8024-k M6348 Private VANs are also available on the Dell Networking 3000 and 5000 series platforms, however the technology and commands for these systems are not covered in this document. Note: XGS3 silicon based switches (M6220 and 6200) do not support the PVLAN feature. 4

Application Private VLANs are typically deployed at the edge of a server farm DMZ, where it is desired to limit or prohibit servers from communicating. While the desired isolation of traffic can be achieved by assigning each host connected port a unique L3 VLAN and enabling L3 routing between the VLANs, it is very inefficient in most cases. Private VLANs: reduces the IP address space utilization avoids L3 routing at the edge reduces consumed VLANs through common VLAN allocation Dell Networking also allows Private VLAN configuration on port channels, which is useful for promiscuous ports. Port types There are three port roles associated with private VLANs. A promiscuous port is associated with a primary VLAN, and is able to communicate with all interfaces in the private VLAN, including other promiscuous ports, community ports and isolated ports. A host port is associated with a secondary VLAN. If the secondary VLAN is a community VLAN the port can communicate with the promiscuous ports in the VLAN and other ports in the same community. If the secondary VLAN is an isolated VLAN, then the port can communicate only with promiscuous ports. A community port is a member of the community VLAN. It can communicate with the promiscuous ports in the primary VLAN and other ports in the same community. VLAN types There are two major VLAN types associated with private VLANs. A primary VLAN (Figure 1) carries unidirectional traffic downstream from promiscuous ports to all other ports (isolated ports, community ports and other promiscuous ports) in the same private VLAN. Only one primary VLAN can be configured per private VLAN. Every port in a private VLAN is a member of the primary VLAN. Another way to think of it from a switch perspective is that the primary VLAN is the private VLAN. There can also be several private VLANs on a single switch or switch stack. A secondary VLAN communicates only with other secondary VLANs within the primary VLAN of which it is assigned. There are two types of secondary VLANS. The isolated VLAN carries unidirectional traffic upstream from the isolated hosts toward the promiscuous ports and the gateway. Communication among hosts in the isolated VLAN is forbidden. Only one isolated VLAN can be configured per private VLAN. 5

The community VLAN carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. There can be multiple community VLANs per private VLAN. Figure 1. Logical view of primary and secondary VLANs Private VLANs can control access to end stations through the following methods: Configuring selected interfaces connected to end stations as isolated ports to prevent any communication at Layer 2. For example, if the end stations are servers, this configuration prevents Layer 2 communication between the servers. Configuring interfaces connected to default gateways and selected end stations (for example, backup servers) as promiscuous ports to allow all end stations access to a default gateway. 6

A promiscuous port can serve only one primary VLAN, one isolated VLAN, and multiple community VLANs. Layer 3 gateways are typically connected to the switch through a promiscuous port. With a promiscuous port, you can connect a wide range of devices as access points to a private VLAN. For example, you can use a promiscuous port to monitor or back up all the private-vlan servers from an administration workstation. In a switched environment, you can assign an individual private VLAN and associated IP subnet to each individual or common group of end stations. The end stations need to communicate only with a default gateway to communicate outside the private VLAN. Example In this example, TE1/1/1 (SW1 to R1) is configured as a promiscuous port. Hosts A, D, and E can only talk via R1, and hosts B and C can talk to each other directly as well as via R1. The isolated VLAN is shown three times to demonstrate the forbidden communication between the three hosts (A, D, and E), however, all three hosts are in the same isolated VLAN. Figure 2. Physical view of primary and secondary VLANs on a switch stack 7

Command-line configuration Use the commands below to configure the example given above. The commands for different devices sometimes vary slightly. If uncertain, consult the device s User Guide for the exact commands pertaining to your particular device. Create the VLAN and assign VLAN types: console# configure console(config)# vlan 100 console(config-vlan-100)# private-vlan primary console(config-vlan-100)# exit console(config)# vlan 101 console(config-vlan-101)# private-vlan community console(config-vlan-101)# exit console(config)# vlan 102 console(config-vlan-102)# private-vlan isolated console(config-vlan-102)# exit Associate the community and isolated VLANs with the primary VLAN: console(config)# vlan 100 console(config-vlan-100)# private-vlan association 101-102 console(config-vlan-100)# exit Assign the router connected port to the primary VLAN: console(config)#interface te1/1/1 console(config-if-te1/1/1)#switchport mode private-vlan promiscuous console(config-if-te1/1/1)#switchport private-vlan mapping 100 101-102 console(config-if-te1/1/1)#exit Assign the community VLAN ports: console(config)#interface gi1/0/11 console(config-if-gi1/0/11)#switchport mode private-vlan host console(config-if-gi1/0/11)#switchport private-vlan host-association 100 101 console(config-if-gi1/0/11)#interface gi1/0/12 console(config-if-gi1/0/12)#switchport mode private-vlan host console(config-if-gi1/0/12)#switchport private-vlan host-association 100 101 8

Assign the isolated VLAN ports: console(config)#interface gi1/0/10 console(config-if-gi1/0/10)#switchport mode private-vlan host console(config-if-gi1/0/10)#switchport private-vlan host-association 100 102 console(config-if-gi1/0/10)#interface gi2/0/10 console(config-if-gi2/0/10)#switchport mode private-vlan host console(config-if-gi2/0/10)#switchport private-vlan host-association 100 102 console(config-if-gi2/0/10)#interface gi2/0/11 console(config-if-gi2/0/11)#switchport mode private-vlan host console(config-if-gi2/0/11)#switchport private-vlan host-association 100 102 Show commands console(config)#show vlan private-vlan type VLAN Type ------- ----------------------- 100 primary 101 community 102 isolated console(config)#show vlan private-vlan Primary VLAN Secondary VLAN Type Ports ------------------ ---------------------- ---------------- ------------------------ 100 102 Isolated Gi1/0/10,Te1/1/1 100 101 Community Gi1/0/11-12,Te1/1/1 console(config)#show vlan VLAN Name Ports Type ------- --------------- ----------------- -------------- 1 default Po1-128, Default Te1/0/1-9, Te1/0/13-24, Fo1/1/2, Te1/1/2-4 100 VLAN0100 Te1/0/2, Static Te1/0/4, Te1/0/6, Te1/0/10-12, Te1/1/1, 9

Te1/1/4 101 VLAN0101 Te1/0/2, Static Te1/0/4, Te1/0/6, Te1/0/11-12, Te1/1/1, Te1/1/4 102 VLAN0102 Te1/0/2, Static Te1/0/4, Te1/0/6, Te1/0/10, Te1/1/1, Te1/1/4 Definitions Community port Community VLAN DMZ Host port Isolated VLAN Isolated port Private VLAN a member of the community VLAN. It can communicate with the promiscuous ports in the primary VLAN and other ports in the same community. a secondary VLAN. It carries upstream traffic from the community ports to the promiscuous port gateways and to other host ports in the same community. There can be multiple community VLANs per private VLAN. the area of an organization s network that is exposed to an untrusted network (such as the internet) in order to provide services to customers. Typically, legitimate patrons as well as rogue users have access to equipment in the DMZ. a port associated with a secondary VLAN (isolated or community) in a private VLAN. a secondary VLAN. It carries unidirectional traffic upstream from the isolated hosts toward the promiscuous ports and the gateway. Communication among hosts in the isolated VLAN is forbidden. Only one isolated VLAN can be configured per private VLAN. a member of the isolated VLAN. It carries unidirectional traffic upstream from the isolated hosts toward the promiscuous ports and the gateway. contains a single primary VLAN and one or more secondary VLANs. In a multi-server network DMZ, it is a preferred method used to enhance security. 10

Promiscuous port Primary VLAN Rogue device Secondary VLAN VLAN a port associated with a primary VLAN, able to communicate with all other interfaces. carries unidirectional traffic from promiscuous ports to all other ports (isolated, community, promiscuous) in the same private VLAN. any unauthorized host on a network, but particularly that with a malicious intent. can be either a community VLAN or an isolated VLAN. virtual local area network, or virtual LAN. Is the concept of partitioning a physical network in order to create separate broadcast domains. For more information on Dell Networking products and features, visit www.dell.com/networking. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback